Last year(2019), I was hunting for bugs at one of the biggest social media LINE.
I discovered a aws s3 bucket there named ‘line-example’. Here ‘example’ is just a keyword I’m using instead of the real bucket name.
Now let me clear first what is AWS and what AWS used for. Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Running web and application servers in the cloud to host dynamic websites. Amazon S3 or Amazon Simple Storage Service is a service offered by Amazon Web Services that provides object storage through a web service interface. Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its global e-commerce network.
Okay, let’s back to my story, I just stopped there, I fired up my terminal and put a command with my aws cli like this ‘aws s3 ls s3://line-example’.
I got surprised in result! the bucket directory was open! I just smiled like this!
The bucket was vulnerable! It was possible to read files inside the bucket which should be Forbidden with status code 403!
Then I thought what if I can upload or delete something there? Is this vulnerable to write data too? I fired up my terminal again. I tried to upload something with this command. “aws s3 cp ‘julfikar.txt’ s3://line-example”.
Note: The file julfikar.txt file was in the same location where from my terminal was running.
Then i tried to delete this file with the command ‘aws s3 rm s3://line-example/julfikar.txt’
I surprised again! it was accepting my requests for upload files! And also deleting files from the bucket with my external command!
This was a critical issue! I was so exited about this. Reported the issue to LINE with @Hackreone.
But maybe that was my good luck that because it was submitted previously by another researcher! I accepted this as my good luck because I always think positive. This will push me to learn more, this is a kind of lesson. Getting Bounty is not important at all. I think I can do or I can break those words are more important for now. Bounty is just like a gift! And we should never expect for gifts!
I’m ending the story here, Thanks for your time guys.
Find me at
Twitter: TheJulfikar
Facebook: TheJulfikar
Welldone Brother
আমি আপনার কাছথেকে শিখতে চাই,আমি বাগ বাউনটি করতে চাই
This web site definitely has all the info I wanted about this subject and didn’t know who to ask.
Itís hard to come by well-informed people in this particular subject, however, you seem like you know what youíre talking about! Thanks
I will right away clutch your rss feed as I can’t to find your e-mail subscription hyperlink
or newsletter service. Do you have any? Kindly permit
me understand in order that I may subscribe.
Thanks.
At this moment I don’t have any.