How I hacked 92k users Information using open s3 bucket

Rudra Sarkar
Nov 30, 2019 · 4 min read
Invoices

First of all this is my biggest hack I did in my life.The website I found few day ago while I am looking for bus ticket.After booking Bus ticket I thought let’s find something on there, I know that they don’t have Bug Bounty, This isn’t the matter, I started finding.Long story short let get into steps how I did all this.

Checking Technology

They are using Laravel Framework , Vue.js which is comes with Laravel Framework as we know.Also they are using Amazon AWS S3.

I reported first bug which is Blind XSS they replied me

Reply From CTO

So, one of the admin logged into their admin panel and I got notification from XSSHunter , Again I sent mail to CTO with the DOM snippet where have user information like Name, Mobile Number

Admin Resource Dashboard

After this the CTO wanted to meet with me.

Reply from CTO

Before I set the meeting time i found another bug which is IDOR On a Sub domain using the vulnerability I can able to check any users wallet information, And my friend Aayush Pokhrel who help me to find out the Sub domain then I reported the IDOR issue to CTO.

Who don’t want to get invite from a Company 😍

Then I go forward and start finding further.So after checking source code I found that they are using Amazon AWS S3 and I visit to the URL which look like.

https://s3.ap-south-1.amazonaws.com/cdn-redacted/redacted_***/static/css/app.a852a04b6405ea05ffe709430e138802.css

It’s showing CSS code, Then I thought 🤔 that let’s check it’s open or not, So I visit https://s3.ap-south-1.amazonaws.com/cdn-redacted/ and I found that it publicly open.

Dude it’s gonna be a blast right now 💥

I fire up my Kali and Setup AWS with CLI and then I tired type command to know what’s in there.After 10 Minute my AWS account got suspend because my card expired , So I ask help from Aayush Pokhrel but he also don’t have AWS account and then Aayush talk with Smaran Chand who give me his access token and secret key I configured my AWS CLI, Then I got all of these bellow:

$ aws s3 ls s3://cdn-redacted

Bucket Information

As you can see db_backups/

Database Backup

Which size is almost 430MB, I found almost 92K+ users information on the database backup.

This how I got all the information and I sync whole bucket ( Total Size: 35.6 GB ) into my PC for show to the CTO that they can understand the issue clearly.

What I Got From The Bucket

  • Database Backup
  • Invoices
  • Affiliate Payment information with users phone number
  • Top-up success information
  • Lot’s of E-mail, sensitive information including.
  • Call record between customer and customer care

Then I meet with the CTO and Co-Founder and I show all the stuff what I got, They really appreciate about my finding.

Then the company offered me job as Security Engineer, and I was really surprised.

Let’s Dance xD

Thanks for reading, If there any mistake in spelling pardon me.Find me on twitter @rudr4_sarkar

Rudra Sarkar

Written by

Synack Red Team Member , Bug Bounty Hunter

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade