First massive bug: Noise’s AWS Bucket Misconfiguration
Introduction
In our modern world, keeping our private information safe is super important. We trust companies like Noise to make sure our info doesn’t end up in the wrong hands. But, while looking into online security, I found a big problem with Noise’s AWS bucket. In this blog, I’ll tell you about what I found, how I told Noise about it, and the surprising way they responded.
The Vulnerability
The vulnerability discovered in Noise’s AWS bucket was a result of misconfigured access controls. Specifically, the Amazon S3 bucket, which is a storage service used by Noise, had settings that allowed unauthorized access. This misconfiguration enabled anyone with the right knowledge to access and download sensitive user data without proper authentication.
In simple terms, it’s like finding a locked room with valuable items inside, but the door has been accidentally left wide open. This made it easy for someone, including potential malicious actors, to enter and take things they shouldn’t have access to, such as names, phone numbers, IDs, photos, watch data, receipts, and other private information stored in the AWS bucket. The vulnerability was a gap in the security measures meant to keep this data safe, and it needed to be fixed to prevent unauthorized access and potential misuse of the sensitive information.
The Discovery
While shopping for a noise headphone online, I found a mistake with Noise’s Amazon Web Services (AWS) bucket.
On exploiting it further i could see all of its contents
This mistake let me see a bunch of personal information which includes but is not limited to:
Heart Rate Data
Identification Documents
User device logs
Email addresses
User photos
User complaints
Access tokens
Company employees
Employees email
Invoice
Internal domains
Phone Numbers
Device Models
Android Versions in Use
Health Data
Timestamps of User Activity
This was a big deal because it could have been very bad if someone with bad intentions found it.
The Right Way to Share the Problem
I didn’t want to use this information for harm. So, I told Noise about it. I gave them all the details of the mistake and told them how to fix it. This is what they call “responsible disclosure” — letting a company know about a problem so they can keep their users’ data safe.
Fixing the Problem
Noise did something good. They quickly fixed the mistake with their AWS bucket. This showed that they cared about their users’ privacy and security.
The Response
What happened next surprised me. I thought Noise would say something about how serious the problem was and thank me for helping. But all they said was “thanks.” They didn’t seem to realize how important it was.
The retest
Before publishing this block I retested the issue so that no stone remains unturned and to my surprise I found out that the company just hid the bucket but the files were still accessible .
On sharing this with their team again
I replied to their team again stating the vulnerability is still not fixed and as 30+ days have already passed , I’ll be publishing my blog .
But all in vain, its been 11 days and still no response.
How to prevent AWS bucket misconfiguration?
To prevent the misconfiguration of AWS buckets and enhance overall security, consider implementing the following best practices:
- Strict Access Controls:
- Configure access control lists (ACLs) and bucket policies to restrict access to only authorized users and applications.
- Follow the principle of least privilege, granting users and systems only the permissions necessary for their specific tasks.
2. Regular Audits and Monitoring:
- Conduct regular audits of AWS resources, including S3 buckets, to identify and rectify misconfigurations promptly.
- Implement continuous monitoring to detect any unauthorized access or changes in configuration.
3. Encryption:
- Enable server-side encryption to protect sensitive data at rest. AWS provides options like SSE-S3, SSE-KMS, and SSE-C for encrypting S3 bucket contents.
4. Secure Bucket Policies:
- Review and carefully define bucket policies to ensure they align with security requirements.
- Regularly update and validate policies to accommodate changes in the environment or access requirements.
5. Use AWS Identity and Access Management (IAM):
- Leverage IAM roles and policies to control access to AWS services and resources.
- Regularly review and update IAM configurations to align with organizational changes.
6. Versioning and Logging:
- Enable versioning on S3 buckets to track changes and revert to previous versions if necessary.
- Implement logging and monitoring for AWS CloudTrail to keep track of API calls and changes made to AWS resources.
Conclusion
Finding a problem with Noise’s AWS bucket, which puts private information at risk, reminds us that the online world isn’t always safe. Responsible disclosure is important because it helps companies protect their users.
Companies should not only fix problems but also say thanks to the people who find them. Ethical hackers help keep our information safe, and they should be recognized.
We need to make sure companies do the right thing to keep our data safe. Even if they don’t say thanks, we should still hold them accountable. Ethical hackers keep working to protect us and our online world.
