Security News
Object Ownership is a permission that can be set when creating a new object within an S3 bucket, to enforce the transfer of new object ownership onto the bucket owner. "With the proper permissions in place, S3 already allows multiple AWS accounts to upload objects to the same bucket, with each account retaining ownership and control over the objects. This many-to-one upload model can be handy when using a bucket as a data lake or another type of data repository. Internal teams or external partners can all contribute to the creation of large-scale centralized resources," explained Jeff Barr, Chief Evangelist for AWS. But with this set up, the bucket owner doesn't have full control over the objects in the bucket and therefore cannot use bucket policies to share and manage objects.
Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts. The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public - things like login credentials, security keys, and API keys.
Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.
Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.
Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns. These virtual credit card skimmers, also known as formjacking attacks, are typically JavaScript code that Magecart operators stealthily insert into a compromised website, often on payment pages, designed to capture customers' card details in real-time and transmit it to a remote attacker-controlled server.
A now-defunct mobile app for loaning money to small business owners has been pinned down as the source of an exposed archive containing roughly 500,000 personal and business financial records. The research team at vpnMentor said it traced an exposed database of financial records back to a former Android/iOS app called MCA Wizard, developed jointly by Advantage Capital Funding and Argus Capital Funding back in 2018.
A pair of misconfigured cloud-hosted file silos have left thousands of peoples' sensitive info sitting on the open internet. The latest demonstration of this comes from eggheads at VPNmentor, who this week said they found two open AWS S3 buckets, one belonging to a UK consulting firm and another run by an adult webcam host.
A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal. read more
Security a popular topic at Las Vegas event re:Invent At its re:Invent event under way in Las Vegas, Amazon Web Services (AWS) dropped the veil on a new tool to help customers to avoid spewing...
Here’s an overview of some of last week’s most interesting news, articles and podcasts: Cybersecurity automation? Yes, wherever possible Automated systems are invaluable when it comes to...