What is S3 Bucket Missconfiguration ?
S3 Bucket Misconfiguration is a type of security vulnerability that happens when an Amazon S3 bucket isn’t set up properly. Basically, this can lead to sneaky people getting access to private information, data leaks, and data loss. This vulnerability might happen when someone sets the access controls wrong or makes the bucket accessible to the public. This is bad news because someone could get in and mess around with the bucket’s contents, download them, or even change them up.
A bug hunter that named “Sam” managed to get a reward of $5250 after successfully accessing millions of user data through the S3 Bucket Misconfiguration, after decompiled the android application with Apktool.
In 2022, a bug hunter has shared story on Medium.com how he were able to access millions of users’ data including their personal information and address.
But, since there were more than 50 applications, hecouldn’t manually check each of them. So, he used nuclei and found templates for android applications, which he downloaded and ran on the whole directory.
After a run of about 18-19 minutes, Nuclei gave an output saying S3 Bucket Found, but Sam couldn’t access it via AWS CLI because the response is Acess denied.
However, after a few more minutes, Sam got another output for the S3 bucket, and he tried to access it without any hope. Surprisingly, he were able to access the entire bucket, which contained Tecno’s internal files, users, and all their data. Sam was even able to download everything, but he decided to stop following the bug bounty rules and directly reported it to the team.
After reporting the incident,Sam found another S3 bucket with nuclei, and it also contained about 4-5 gigs of data. However, the team merged Sam’s report with the previous one, despite the fact that thats were different reports.
The team claimed that both buckets were managed by the same team and Sam was given only 25 reputations on the program and rewarded $5250 for only one report and $0 for the second one. Sam argues that he should have received more reward for his findings.
What can be learned from this story?
It’s important to note that Sam did not download any file from the buckets and only downloaded one file from Tecno’s server to send it with the vulnerability report. Tecno has since fixed the server, and Sam says that all the data of people is now safe.
How to Prevent S3 Bucket Missconfiguration?
Preventing S3 bucket misconfiguration vulnerabilities is crucial for securing your AWS environment. Here are some steps you can take to prevent these types of vulnerabilities:
- Enable access logging: Enable access logging on your S3 buckets to record all access requests and identify any suspicious activity.
- Restrict access: Limit access to your S3 buckets by using IAM policies, bucket policies, and access control lists (ACLs). Restrict access to only authorized users and applications.
- Use encryption: Use server-side encryption to protect data at rest in your S3 buckets. You can also use client-side encryption to protect data in transit.
- Monitor bucket permissions: Regularly audit your bucket permissions to ensure that only authorized users and applications have access to your S3 buckets.
- Use AWS Trusted Advisor: Use the AWS Trusted Advisor service to identify misconfigurations and security vulnerabilities in your S3 buckets. This service can help you identify and address potential issues before they can be exploited.
- Implement versioning: Enable versioning on your S3 buckets to protect against accidental deletion or modification of files. This can also help with disaster recovery in the event of a security incident.
By following these steps, you can effectively prevent S3 bucket misconfiguration vulnerabilities and ensure the security and integrity of your AWS environment. Remember to regularly review and update your security measures to stay ahead of evolving threats.
Link to read full write up: here
Save the PDF here