Exploiting misconfigured AWS S3 Buckets !

I found a misconfigured s3 bucket in a global customer service tech company where the misconfiguration of the S3 bucket allowed any authenticated user to upload and delete files to their s3 bucket.

Am redacting the bucket name/company name to “<xyz>” as per request from the affected company.

AWS Simple Storage Service (S3 Buckets)

Bucket : https://<xyz>-uploads.s3-eu-west-1.amazonaws.com/

Proof-of-concept:

1. Configure AWS CLI in your Windows/Linux/Mac machine.
2. Execute the below commands from the CLI

Uploading a file — aws s3 cp test.html s3://<xyz>-uploads/

Deleting a file — aws s3 rm s3://<xyz>-uploads/test.html

Listing the files — aws s3 ls s3://<xyz>-uploads/

3. I received an email from the VP of engineering that they have fixed the issue, below is my confirmation to them.

Recommendation:

1. Review the bucket ACLs to verify WRITE and WRITE_ACP are only set on specific users, never on groups such as AllUsers or AuthenticatedUsers.
2. Take a look and see how you are uploading objects to S3 buckets and make sure you set the proper ACLs on both buckets and objects.

Note: Newly created Amazon S3 buckets and objects are private and protected by default.

Happy Hacking!