Friday 11 January 2019

Another S3 leak...


During my investigation into S3 buckets as part of my dissertation, just within a day I came across a publicly accessible bucket with over 200GB of data. Having just left 2018 behind, a year of a massive volume of S3 data leaks stuck in the back, I noticed an abnormally large bucket with open access controls. Looking deeper into contents I see:





Let look closer:


Password & Secure Password!?

I feared the worst and confirmed they are storing plain text passwords along side md5 passwords.


All (nearly) 10 million of them:





And it goes on...















































In summary, a publicly accessible bucket, over 200GB unzipped, containing API keys, credentials, AWS keys, RSA private keys, transaction data, call logs, various server logs. Users table contains 9,672,637 entries, some containing full name, plain text passwords, email, d.o.b, annual income, address etc... I spent hours combing through it and still barely touched it.

Attempts have been made to contact the owner with several high profile cyber security experts assisting me in getting this resolved.
Posted by at 1 comment:
Subscribe to: Posts (Atom)