Hacking To Deface Into Indian News Media Outlet- ANI News Agency

Hello Friends,

I am posting after a long time. I believe it is better to write something about a good find rather than posting xss, csrf on xyz unimportant sites.

In this post, I will share about one of my findings by which anyone could have uploaded or deleted anything on the Amazon AWS instance run by ANI NEWS.

What is ANI (Asian News International) ?

ANI News is one of the very famous private news media outlets based in India. It claims to provide multimedia news to 50 bureaus in India and most of South Asia.

ANI News came to my attention when PM Modi was interviewed by Smitha Prakash. Well, I won’t speculate on the success of the interview, but for sure it made them catch the eyeballs of all the citizens of the country.

AWS Misconfiguration

I noticed that ANI uses an amazon aws instance to store all the images available on their website.

I started playing with it, and within a short span of time found , HTTP methods PUT,DELETE was enabled. Anyone was able to upload/delete anything on the aws instance.

As a test, I deleted an image from a old article on their website.

Also to give a proof of concept, I had uploaded a .text file.

Guys you can just imagine it in the hands of people with malicious intent. Anyone could have deleted the entire images stored on their aws.

Also, as a fun fact the logo was also loaded from aws. So what if anyone could delete it and upload a new image instead of it. It would created so much public attention.

The moment I found this, I immediately reported this bug to all the available contacts on the site. As a matter of fact, some mails were not even working.

I never got any response from them. I had also forwarded mails to Cert-In and Kerala Police Cyberdome.

Kerala Police Cyberdome has been super responsive. The bug has been resolved now. However, I am still unaware of who took the initiative of patching it up.

Though I am happy that I did my duty. They have not deleted my .txt from the instance. Maybe they would have kept it as remembrance. IDK. But we are still able to have read access to instance. I don’t think that would be a problem as it only contains images.

Thank you. Appreciate a clap or two.