since Leroy wrote a great article about Hostile Domain Takeover I thought about writing one about S3 Bucket takeover which is also a common attack scenario.
S3 Bucket takeover describes the issue of claiming an S3 Bucket which was previously owned by someone else.
This issue may lead to several attacks like identity theft, credential stealing or website defacing. Usually, this issue is difficult to detect.
Luckily I found such an orphaned bucket that has been used by Amazon AWS China. They used this bucket to provide some example AWS Cloudformation files. However, they deleted the bucket on their side and I was able to register the bucket.
What could have happened?
An attacker we’re able to spread malicious Cloudformation files to AWS customers which may lead to account takeover or massive cryptocurrency mining.
AWS is very aware of its security and they provide a dedicated Vulnerability Reporting site. According to their website, I sent a Mail to the AWS security team which includes a small report regarding their orphaned S3 bucket. After approximately three days we managed to transfer the bucket name to their account.
Well, it’s quite hard to say how to protect such attacks. Anyway, you should keep your S3 buckets in mind. Orphaned buckets may lead to severe security issues.
At my company, we simply try to hide S3 buckets and never use them for public usage.
If you have any ideas on how to protect your buckets please leave a comment to tell the world. 🙂
Stay safe guys!
Title Image via unsplash.com