medium

Signature version 1 (SigV1) is insecure

Published Thu, Dec 18th, 2008
Platforms

Summary

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attack would be able to modify signed requests via specially constructed collisions.

Affected Services

N/A

Remediation

None required, SigV1 is deprecated at this point

Tracked CVEs

No tracked CVEs

References

Disclosure Date
-
Exploitablity Period
until December 18th, 2008
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Colin Percival, null