These two major AWS security flaws could have left user accounts wide open

DMCA / Correction Notice
- Advertisement -


Loading Audio Player…
- Advertisement -

Amazon Web Services (AWS) has been forced to fix two major security vulnerabilities that could have been used to steal sensitive data, reports have claimed.

Two vulnerabilities in Amazon’s cloud computing arm were discovered by cybersecurity researchers at Orca Security, and were dubbed Superglue and Breaking Information.

advertisement

SuperGlue exploits a problem in AWS Glue, allowing users to access data managed by other Glue users. AWS Glue is a service that customers use to store large amounts of data.

a fix within a day

“We were able to identify a feature in AWS Glu that could be used to obtain credentials for a role in an AWS service’s own account,” Orca said. In the Glue Internal Services API, we were able to advance privileges within the account to the point where we had unrestricted access to all resources for the service in the area, including full administrative privileges.”

By taking advantage of the flaw, Orca researchers were able to perform a number of potentially malicious actions, such as assuming roles in AWS customer accounts trusted by Glu; Query and modify resources related to the AWS Glue service in a specific region; Discovered a way to access data managed by other Glue users. It’s important to note that Orca didn’t actually gain access to anyone else’s data.

BreakingFormation takes advantage of a vulnerability found in AWS CloudFormation, a tool that lets users “model, provision and manage AWS and third-party resources by treating the infrastructure as a single code.”

According to Orca, this vulnerability could have been used to steal sensitive data from third parties.

Orca researchers tested the fixes (which reportedly took AWS about 25 hours to code) and found that the vulnerabilities were completely fixed and are no longer exploitable.

  • You might want to check out our list of the best cloud storage providers right now

Via: PCMag

- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories