Bug hunting: Open access to S3 bucket
This blog post explains how I discovered a bug in a well-known ride-sharing platform that allowed me to access the firm’s assets stored in AWS S3 buckets without the required ACL configuration.
AWS S3 Bucket
Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance.
I was unable to disclose the corporate name because the bug has not yet been fixed. The steps taken to identify this vulnerability are listed below. Let example.com be the company in this case.
1) Finding all potential subdomains for the site and looking for development, staging, or other variations of the same site. For instance, staging.example.com, test.example.com, uat.example.com, and so forth.
2) After that, I started looking through the few sub-domain pages expecting some hidden configurations (as these are non-production sites, the developers might have included passwords, and API-tokens in the source code).
3) When I looked at the source code, I discovered that every image had a unique source, such as assets.example.com/<folder-id>/images/random-id>.
So I used Burp Suite to intercept the image URL, and I discovered that these were stored in an S3 bucket. I tried guessing the endpoints such as
- assets.example.com/random-folder-name
- assets.example.com/users/images
- assets.example.com/<folder-id>/users
All these resulted in 403 forbidden. Then I just backtracked the original path.
assets.example.com/<id>/images/<img-id> to assets.example.com/<id>/images/
This gave me the XML file containing all image ids. But I didn’t stop here, as all these images could be scraped using a simple Python web scraper.
After a few Google dorking tricks, I found the actual link to the s3 bucket!!!!!
Then I just logged into my AWS account and using the AWS CLI, got a list of all documents, images, and CSV files stored in the bucket.
aws s3 ls s3://<bucket-name>/ > files.txt
reported the above vulnerability to the respective team, awaiting their response.
Happy bug hunting!
References