AWS S3 Misconfiguration Explained – And How To Fix It – 10 minute mail

A technical write-up explaining AWS S3 misconfiguration is available on our Labs blog.

AWS Simple Storage Service (often shortened to S3) is used by companies that don’t want to build and maintain their own storage repositories. By using Amazon Simple Storage Service, they can store objects and files on a virtual server instead of on physical racks – in simple terms, the service is basically “A Dropbox for IT and Tech teams”. After the user has created their bucket, they can start storing their source code, certificates, passwords, content, databases and other data. While AWS promise safely stored data and secure up-and downloads, the security community has for a long time pointed out severe misconfigurations. If you are vulnerable, attackers could get full access to your S3 bucket, allowing them to download, upload and overwrite files.

The Disposable mail Team has taken a deep dive into AWS asset controls, and will explain how easy it is for hackers to exploit the misconfigurations. Continue reading if you want to know how you can prevent this from happening.

How it is done

The S3 bucket name is not a secret, and there are many ways to figure it out. Once the attacker knows it, there are multiple misconfigurations that can be used to either access or modify information, leading to three different scenarios. By using the AWS Command Line to talk to Amazon’s API, the attacker can:

  • get access to list and read files in S3 bucket
  • write/upload files to S3 bucket
  • change access rights to all objects and control the content of the files (full control of the bucket does not mean the attacker gains full read access of the objects, but they can control the content)

Please note that attackers can gain access without the company hosting the S3 bucket ever noticing or finding out.

AWS are aware of the security issue, but are not likely to mitigate it since it is caused by user misconfigurations.

S3 misconfiguration explained

What can happen

When Disposable mail’s Security Advisor Frans Rosén, a prominent white hat hacker, did the underlying research for his Proof of Concept blog post, he could control assets on high profile websites, meaning he could do anything from overwrite files, upload vulnerable files, and download Intellectual property.

Disclaimer:
All instances disclosed in the Labs post were reported to the affected parties using responsible disclosure policies. In some of the cases, third party companies were involved and we got assistance from the companies affected to contact the vulnerable party.

Since so many companies store sensitive data in S3 buckets, any leak could be devastating. You might remember the Million Dollar Instagram Bug that allowed security researcher Wes Wineberg to access every single image and account on Instagram. This was only possible because he had gained access to Instagram’s S3 bucket, where the company stored everything from source code to images. “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” wrote Wineberg. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data.”

Here is another example of a public bug bounty report where a security researcher could write files to HackerOne’s bucket without any read access: https://hackerone.com/reports/128088

How to fix it

Change privileges on your bucket: https://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html (using AWS Command Line helps proving that exploitation is possible)
Scan your website with Disposable mail (If you already have a Disposable mail account and would like to check your S3 configuration, simply create a new scan profile pointing to your S3 bucket.)
Read the detailed guides and resources in the tool

Additional reading:
https://cloudacademy.com/blog/amazon-s3-security-master-bucket-polices-acls/

Test if you are vulnerable with Disposable mail

Disposable mail scans for S3 misconfigurations with a severity range between 4.4-9 on the CVSS scale. They are all placed in the security misconfiguration category in the Disposable mail tool.

The 6 vulnerability types are:
Amazon S3 bucket allows for full anonymous access
Amazon S3 bucket allows for arbitrary file listing
Amazon S3 bucket allows for arbitrary file upload and exposure
Amazon S3 bucket allows for blind uploads
Amazon S3 bucket allows arbitrary read/writes of objects
Amazon S3 bucket reveals ACP/ACL

Read Frans’ full blog post if you want a more detailed walkthrough of the misconfiguration, and reach out to us if you have any questions!

//The Disposable mail Team


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

7 biggest security news of 2017 – 10 minute mail

Cloud security, ransomware, and poor incident responses have all shaped security discussions in 2017. Another interesting year in security has gone by and although it is difficult to only pick a couple of highlights, we have put together a list of 7 security news that defined 2017.

7 Biggest Security News of 20171. WannaCry

The WannaCry ransomware attack infected thousands of computers running Microsoft Windows in over 150 countries. The NHS, Deutsche Bahn, and FedEx were among the organisations affected by the attack. Wannacry propagates using EternalBlue, an SMB exploit from the NSA hacking toolkit that had been leaked by Shadow Brokers in April 2017. This was not the only attack taking advantage of EternalBlue – about a month after WannaCry, a variant of Petya ransomware (also known as NotPetya) hit Ukraine using the same exploit. Ransomware attacks have become increasingly common in 2017 as ransomware has become a lucrative business for cybercriminals.

2. ROCA

In October, researchers disclosed a vulnerability that could potentially affect anyone with an HTTPS certificate. ROCA, a weakness in a software library used in cryptography hardware made by Infineon Technologies AG, allows an attacker to recover a valid private key. Because the hardware is widely used to generate everything from HTTPS certificates and PGP keys to  smart cards, ROCA had a considerable scope.

3. Dirty COW… again

The Dirty COW exploit was big news in 2016, but the story did not end there. This year, a new malware called ZNIU emerged. ZNIU spreads via infected apps, exploiting the Dirty COW vulnerability to gain root access to Android devices. To top it all off, the Dirty COW patch that was released last year turned out to be flawed, making it possible for an attacker to exploit a race condition and gain write-access to read-only memory. The vulnerability put several Linux distributions at risk, but had a considerably smaller scope than last year’s Dirty COW exploit as it does not affect Android. The moral of the story? Using unpatched software is risky, patches can be vulnerable and security flaws can make an unexpected comeback.

4. S3 bucket misconfigurations

Misconfigured AWS S3 buckets were this summer’s security hot topic. Companies like Dow Jones, ABC, Time Warner and Verizon made the headlines after unintentionally exposing their buckets. We wrote about S3 bucket misconfigurations and did research on how they can be exploited. Since then, Amazon has added new security features and worked to inform AWS users about the risks associated with bucket misconfigurations. Although AWS was in the spotlight this year, cloud misconfigurations in general are not uncommon as cloud security is still a relatively new frontier.

5. Equifax

If there is one security incident that sticks out in terms of scope and publicity this year, it’s the Equifax breach. Personal data belonging to millions of people was exposed, and one of the elements leading to the breach was a vulnerability in Apache Struts (CVE-2017-5638). As a patch for the flaw had been released two months before Equifax was breached, the company’s security routines were called into question. To make things worse, Equifax did not notify the public of the data exposure straightaway, and proceeded to send affected customers to a fake campaign website.

6. Uber

Equifax was not the only company dealing with security issues in a less than optimal way. In autumn 2017, news broke that Uber had paid a hacker $100,000 to conceal a serious security breach that took place in 2016. Uber issued a statement and confirmed that two security officials involved in the incident had resigned, but it remains to be seen how – and if – the company regains consumers’ trust.

7. Google Chrome implemented the “Not Secure” warning

2017 was not all about ransomware, misconfigurations, and companies not taking responsibility for their security shortcomings, it was also a year of increased security awareness. In January, Google Chrome rolled out the “Not secure” warning that flags  websites that do not use https and contain login forms or credit card input fields, while Mozilla announced a similar warning would be implemented in Firefox. The warnings do not only help website visitors become more aware of security risks, they also guide developers as they make their own websites more secure. Hurray for a safer internet!

What’s 2018 going to bring?

What can we expect in security news in the coming year? With the increasing popularity of cryptocurrency, we will probably see a growing number of leaking wallets. We might also encounter more NSA leaks similar to those published by Shadow Brokers, followed by sophisticated exploits based on the leaked hacking tools.

As gadgets like Amazon Echo enter consumers’ homes, it would not be surprising to see attacks targeting smart home devices. Same as last year, we believe the trend of exploits with catchy names will continue. 2017 definitely lived up to this prediction with names like KRACK, WannaCRY, CloudBleed, and EternalBlue. This year, we didn’t see any major DDoS attacks like the DYN attack of 2016, but unfortunately, this does not mean DDoS is not a threat anymore.

But don’t worry, things are moving in the right direction! Developers and internet users are becoming more aware of security issues and potential threats. As governments implement measures like the GDPR to protect private data, we hope that organisations look at this year’s cautionary tales and begin to secure their websites. After Equifax, Uber, Yahoo, and many more, dealing with security breaches in a timely and transparent manner is more important than ever before. Let’s make 2018 the year of awesome security! 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.