How I earn $500 from Razer open S3 bucket

Sourav Sahana
Jan 12, 2020 · 3 min read

Hii Hunters ! Hope you all are hunting good. Back again with another write-up. I submitted this report to Razer and they rewarded me $500 for this report. So I have mentioned all the details from the beginning. If you already have good knowledge about AWS then you can skip up to “How Developers leave buckets vulnerable ?”. Let’s begin the show ..

So what is AWS s3 bucket ?

An Amazon s3 bucket is a public cloud storage (Simple Storage Service or s3). Every bucket has an unique name. You probably heard about the AWS subdomain takeover. Where if any domain uses s3 bucket to host a website and if that bucket doesn’t exist in AWS. Then you can claim the bucket, means whatever you upload to the bucket it renders on the website. But this is not limited too. S3 bucket can be used many purposes, like anyone can store personal files, sometimes application store user’s profile pictures, javascript files, etc.

How Developers leave buckets vulnerable ?

There is mainly three access control configuration of s3 bucket.

(1). Bucket can’t be accessed publicly.

(2) People can only show the bucket contains (key). You should always look for sensitive files in this type of bucket.

(3) All access is given publicly. Where you can upload, delete anything from the bucket. I use AWS CLI to see how the bucket is configured.

How I find open bucket in Razer..

I was playing with this domain : https://api.razer.com . There is a file upload functionality. First I started uploading malicious files if I get any RCE . But That was implemented properly. But when I’m uploading something, in the response showing the picture’s location, where the picture uploaded. And that was a s3 bucket. Immediately I opened the terminal and run this command to upload a txt file:

#aws s3 cp test.txt s3://rzimageupload

Image for post
Image for post

And BaaM !! I can upload and delete files from the bucket. I reported it.

Bucket from android app…

The next day I was testing the Razer Android app. Almost all the programs don’t accept issues that required root access and the physical device. That’s why many hunters don’t check internal files. But I found this bucket: kaizo-s3-public.s3-ap-southeast-1.amazonaws.com in share_prefs directory. And again this was also an open bucket. So I mentioned this in the previous report.

Image for post
Image for post

H1 report: https://hackerone.com/reports/700051

My report had triaged and I got bounty $500 .

Thank you.. Hope you have enjoyed this. Stay tuned with me because I have more web and android reports to share.

Sourav Sahana

Bug bounty writeups

Sourav Sahana

Written by

Hey ! My name is Sourav and I’m a security researcher/Hacker from India. Follow me if you are bug hunter to see my findings.

Sourav Sahana

Bug bounty writeups

Sourav Sahana

Written by

Hey ! My name is Sourav and I’m a security researcher/Hacker from India. Follow me if you are bug hunter to see my findings.

Sourav Sahana

Bug bounty writeups

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store