Notices where this attachment appears
-
Embed this notice
Victor Grenu (zoph@infosec.exchange)'s status on Tuesday, 03-Jan-2023 17:39:15 JST 
Victor Grenu
Last week, I discovered a public Amazon S3 bucket belonging to a French bank that contained approximately 16GB of data (122 339 files), including static assets such as CSS, JavaScript, and images, as well as official documents, schema, unverified IBANs and API documentation.
While the bucket was intentionally left open, the bank's security team promptly responded to my report and corrected the issue.
However, there are several potential risks associated with leaving an Amazon S3 bucket open to the public.
By knowing the name of the bucket, I was able to download its entire contents, potentially gain access to sensitive information (naming convention, API endpoints), and even deduce the bank's AWS Account ID (prod?) and AWS Organization ID.
In today's AWS Security landscape, it is generally considered best practice to use a CloudFront distribution to expose static files rather than leaving S3 buckets open to the public.
As a fun side note, I discovered that Google was also indexing the bucket's contents.
Despite the security lapse, the bank was grateful for my report and even rewarded me with a $10 credit as a customer.
Overall, it was a reminder that security is an ongoing effort, and we should all be vigilant in protecting our assets.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.