AWS uploaded sensitive data to public GitHub bucket

Published Thu, Jan 23rd, 2020

Platforms

Summary

An AWS employee pushed sensitive data to a public github bucket, including customer information and credentials. Note: This issue is outside the scope of this database's usual criteria for inclusion, but has been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.upguard.com/breaches/identity-and-access-misstep-how-an-amazon-engineer-exposed-credentials-and-more https://www.theregister.com/2020/01/23/aws_engineer_credentials_github/https://github.com/SummitRoute/csp_security_mistakes/issues/17

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Thu, Jan 23rd, 2020

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Upguard

More vulnerabilities...

medium

GCP Speech to Text Information Disclosure

GCP's Speech-to-Text "operations/list" and "operations/get" APIs would return data that did not belong to the caller when no parameters were provided. It is unclear whether this was cross-custome...

Dan MaasJan 12, 2020

low

GCP Stackdriver Debugger SSRF

An SSRF bug in GCP's Stackdriver Debugger feature's code import could have been used to leak the authentication token of the user to an attacker-controlled server. Exploitation would require that t...

Ron ChanDec 19, 2019

medium

GCP Cloudshell Vulnerabilities

Wouter ter Maat discovered 9 vulnerabilities in GCP Cloudshell that could allow an attacker to access resources in another customer's environment.

Wouter ter Maat, OffensiDec 16, 2019

View all