Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/zoph/statuses/109624289873286655">Victor Grenu (zoph@infosec.exchange)'s status on Tuesday, 03-Jan-2023 17:39:15 JST</a><a href="https://infosec.exchange/@zoph" title="zoph@infosec.exchange"><img src="https://gnusocial.jp/avatar/84182-48-20230103083915.webp" width="48" height="48" alt="Victor Grenu" style="position: absolute; left: 0; top: 0;">Victor Grenu</a></section><article><p>Last week, I discovered a public Amazon S3 bucket belonging to a French bank that contained approximately 16GB of data (122 339 files), including static assets such as CSS, JavaScript, and images, as well as official documents, schema, unverified IBANs and API documentation.</p><p>While the bucket was intentionally left open, the bank's security team promptly responded to my report and corrected the issue.</p><p>However, there are several potential risks associated with leaving an Amazon S3 bucket open to the public.</p><p>By knowing the name of the bucket, I was able to download its entire contents, potentially gain access to sensitive information (naming convention, API endpoints), and even deduce the bank's AWS Account ID (prod?) and AWS Organization ID.</p><p>In today's AWS Security landscape, it is generally considered best practice to use a CloudFront distribution to expose static files rather than leaving S3 buckets open to the public.</p><p>As a fun side note, I discovered that Google was also indexing the bucket's contents.</p><p>Despite the security lapse, the bank was grateful for my report and even rewarded me with a $10 credit as a customer.</p><p>Overall, it was a reminder that security is an ongoing effort, and we should all be vigilant in protecting our assets.</p><p><a href="https://infosec.exchange/tags/AWS" rel="tag">#AWS</a> <a href="https://infosec.exchange/tags/Security" rel="tag">#Security</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/982808#notice-2215618">In conversation</a><time datetime="2023-01-03T17:39:15+09:00" title="Tuesday, 03-Jan-2023 17:39:15 JST">Tuesday, 03-Jan-2023 17:39:15 JST</time> <span>from <span><a href="https://infosec.exchange/@zoph/109624289873286655" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@zoph/109624289873286655">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: public.by</div><h5><a href="http://public.By/">PUBLIC ART Amazing Artists</a></h5><div> from <span>Public</span></div></header><div>Public Art Presents Amazing Artists Arts From Across The globe
abstract art
abstract painting
acrylic painting
ai weiwei
albrecht durer
alec monopoly
alexander calder
alphonse mucha
andy goldsworthy
andy warhol
art
art and craft
art deco
art gallery
art nouveau
artforkidshub
artist
artstation
artsy
artwork
ascii art
banksy
banksy art
barbara kruger
basquiat
bob ross paintings
botticelli
calligraphy
calligraphy letters
canvas painting
canvas prints
caravaggio
cezanne
claude monet
contemporary art
cubism
dada
david hockney
de young museum
diamond painting
digital art
doodle art
drawing
drawing for kids
fine art
frida kahlo
frida kahlo paintings
galleries
graffiti
graffiti art
henri matisse
In Account
jackson pollock
james turrell
joan miro
kandinsky
kaws
kehinde wiley
keith haring
Keyword ideas
Keywords you provided
klimt
line art
magritte
man ray
mandala art
marcel duchamp
marina abramovic
mark rothko
max ernst
mc escher
metropolitan museum of art
michelangelo
modern art
monet
museum of modern art
op art
painting
paul cezanne
paul klee
pencil drawing
pencil sketch
picasso paintings
piet mondrian
pop art
rene magritte
rock painting
rothko
roy lichtenstein
sandro botticelli
street art
surrealism
takashi murakami
van gogh paintings
vincent van gogh
wall art
warhol
wassily kandinsky
watercolor painting
word art
yayoi kusama
zentangle
zentangle patterns</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/581410">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/581411">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Victor Grenu (zoph@infosec.exchange)'s status on Tuesday, 03-Jan-2023 17:39:15 JST Victor Grenu
Last week, I discovered a public Amazon S3 bucket belonging to a French bank that contained approximately 16GB of data (122 339 files), including static assets such as CSS, JavaScript, and images, as well as official documents, schema, unverified IBANs and API documentation.
While the bucket was intentionally left open, the bank's security team promptly responded to my report and corrected the issue.
However, there are several potential risks associated with leaving an Amazon S3 bucket open to the public.
By knowing the name of the bucket, I was able to download its entire contents, potentially gain access to sensitive information (naming convention, API endpoints), and even deduce the bank's AWS Account ID (prod?) and AWS Organization ID.
In today's AWS Security landscape, it is generally considered best practice to use a CloudFront distribution to expose static files rather than leaving S3 buckets open to the public.
As a fun side note, I discovered that Google was also indexing the bucket's contents.
Despite the security lapse, the bank was grateful for my report and even rewarded me with a $10 credit as a customer.
Overall, it was a reminder that security is an ongoing effort, and we should all be vigilant in protecting our assets.
#AWS #Security
In conversationTuesday, 03-Jan-2023 17:39:15 JST from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: public.by
  PUBLIC ART Amazing Artists
  from Public
  Public Art Presents Amazing Artists Arts From Across The globe abstract art abstract painting acrylic painting ai weiwei albrecht durer alec monopoly alexander calder alphonse mucha andy goldsworthy andy warhol art art and craft art deco art gallery art nouveau artforkidshub artist artstation artsy artwork ascii art banksy banksy art barbara kruger basquiat bob ross paintings botticelli calligraphy calligraphy letters canvas painting canvas prints caravaggio cezanne claude monet contemporary art cubism dada david hockney de young museum diamond painting digital art doodle art drawing drawing for kids fine art frida kahlo frida kahlo paintings galleries graffiti graffiti art henri matisse In Account jackson pollock james turrell joan miro kandinsky kaws kehinde wiley keith haring Keyword ideas Keywords you provided klimt line art magritte man ray mandala art marcel duchamp marina abramovic mark rothko max ernst mc escher metropolitan museum of art michelangelo modern art monet museum of modern art op art painting paul cezanne paul klee pencil drawing pencil sketch picasso paintings piet mondrian pop art rene magritte rock painting rothko roy lichtenstein sandro botticelli street art surrealism takashi murakami van gogh paintings vincent van gogh wall art warhol wassily kandinsky watercolor painting word art yayoi kusama zentangle zentangle patterns
2. Untitled attachment
3. Untitled attachment