#BugBounty — AWS S3 added to my “Bucket” list!

Hi Guys,

You might remember the Million Dollar Instagram Bug that allowed security researcher Wes Wineberg to access every single image and account on Instagram. This was only possible because he had gained access to Instagram’s S3 bucket, where the company stored everything from source code to images. In this particular blog, I would be explaining you “How misconfigured AWS storage bucket can be a huge security risk”.

Recently during my bug hunting, I came across a misconfigured AWS S3 bucket of an Indian E-commerce Company which gave me full access to their S3 bucket, allowing them to download, upload and overwrite files. Let’s dig deeper into this and see how I was able to do so — So , while in search for some security vulnerabilities in the website , I came across a career page from where users can apply for the relevant jobs and upload their resume. I started testing it out and found an endpoint (let’s name the company out as xyz )-

https://xyz.s3.amazonaws.com/career%2Ftest.pdf” and there was no ACL restriction set , any non-authenticated user could simply access any file and below was the curl request —

curl -XGET ‘https://xyz.s3.amazonaws.com/career/test.pdf'

and the response was the content of test.pdf. Similarly , I discovered that “PUT” method was enabled on the S3 bucket and I could simply write any file onto the S3 bucket , it was publicly writable.

curl -XPUT -d ‘HACKED’ ‘https://xyz.s3.amazonaws.com/career/test.pdf'

I ran some bruteforcing over filename and I was able to read the resume content of other users. :) , Now, I have to take this one level up , my next target was to list down and read all the files that were available onto S3 bucket. I connected to s3 command line and run the following command

“ root@logicbomb~# aws s3 ls s3://xyz.s3.amazonaws.com

and to no surprise, I was able to access the complete s3 bucket , all the CVs/Resume of users (also there were more sensitive data and directories ) were publicly accessible and readable :) I tried some more commands -

root@logicbomb:~# aws s3 rm s3://xyz.s3.amazonaws.com/career/test.pdf

delete: s3://xyz.s3.amazonaws.com/career/test.pdf

and I was also able to delete the files also.

As a conclusion resides that Misconfigured S3 bucket may take your organisation to expose sensitive data.

Mitigation — Advise you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend. For reference, you can read the below link —

Report details-

08-Dec-2017 — Bug reported to the concerned company.

29-Dec-2017 — Bug was marked fixed.

01-Jan-2018 — Re-tested and confirmed the fix.

07-Jan-2018 — Awarded by company.

Thanks for reading!

~Logicbomb (https://twitter.com/logicbomb_1)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store