some-image here

From Finding AWS S3 Bucket to Sensitive Data Exposure

Hello everyone, I hope you guys are doing good. In this article i am going to share how i found an AWS S3 bucket and how it led to leaking sensitive data of users. The program is about some helpdesk where we have different features of hiring new employees, assigning tasks, presentation preparation etc. So i was just going through the web app and trying to know it better, what features does it have and how they works. After getting a rough idea about the web app i started teasting each feature one by one.

I was testing a feature of presentation preparation. This is where an employee can practice and prepare his presentation. In here he can upload documents like slides or pdf. He can also put some sticky notes inside that screen and it will be only available to him. This section is totally private only an admin user have access to it. The user not only can prepare his presentation here he can also deliver it from this section. All he has to do is start presentation and only his slides or pdf files will be shown to other. The sticky notes will stay private to that user. You guys got an idea of how this feature works now lets move onto how i found the s3 bucket.

So i was going through the source code of that page when i saw the web app is loading the slides in an iframe. The URL was something like this,

		
		https://cdn.example.com/document/view.html?id=91929&pages=1&s3=bucket-name-us-east-1
		
		

As you can see the URL have some interesting parameters in it. I opened that URL in the new tab and it returned the white blank page. First i didn't notice that it have s3 bucket in it. My main focus on the ID parameter, i changed it to another document ID to see if i can access it but sadly it was returning the same white blank page. At this point the s3 parameter still didnt get my attention.

I opened the source code of this page and i saw an interesting line of Javascript, which was this one ,
		 
		 "canonical_url" : "https://bucket-name-us-east-1." + s3.amazonaws.com + "/document/" + ID + "/result.pdf",
		 
		 
I concatenate this endpoint together by adding ID value and it became,
https://bucket-name.us-east-1.s3.amazonaws.com/document/12345/result.pdf
Upon opening it in new tab it gave me an error of NoSuchKey. But when i simply opened the s3 bucket it greeted with public listing. The First file was Admin_audit.zip. I thought i got a goldmine but when i downloaded and unzipped the file it have nothing sensitive in it. The browser view of s3 bucket is so confusing so i used aws cli for further inspections.

I listed the s3 bucket by running this command
		
		aws s3 ls s3://bucket-name/
		
		
and it returned 6 directories. The first one was Admin_reports which have that admin_audit file so there was nothing sensitive here. The other directories are Documents, Notes, Pins and Pictures . All of them contains sensitive data of other users. The Document directory have all the documents which have been uploaded by different users to their presentation. As i mentioned before the presentation files won't be available until the user starts the presentation. Even after the presentation the files will be only available to the user of that specific organization. In other words files of one organization will never be available for the user of different organization. But in this Document directory the files of all the organizations are being leaked.

The next directory Notes have all the sticky notes of users of all organizations. The Pins and Pictures directories also have private data of other users. Unfortunately, the s3 bucket didnt have public write access. Checking a misconfiguration of s3 bucket will take you a minuet but the main thing is finding a bucket. It is actually my first s3 bucket bug which i found by reading source code of a page.

That's it, thank you for reading it. If you have any confusion you can reach me at my Twitter See you in the next article.