AWS S3 Bucket Misconfiguration Exposes PII and Documents of Job Seekers
This blog discusses a misconfiguration in an AWS S3 bucket owned by Oil India Limited, which exposed the Personally Identifiable Information (PII) and documents of job seekers.
Hello, my name is Biraj Baishya, also known as brutexploiter. I am an independent security researcher, a full-time bug bounty hunter, and a mechanical engineer.
In this write-up, I will discuss how I discovered a critical vulnerability and protected the data of job seekers from a misconfiguration that could have been exploited by cyber attackers, potentially leading to a data breach.
Initial Discovery:
The discovery phase of the vulnerability was quite interesting because I visited the Oil India Limited website as a job seeker. Oil India Limited had recently announced job openings for various technical positions, so I visited the site to download the admit card for the examination. Suddenly, during the downloading process, I noticed that the documents were being served from an Amazon Web Services (AWS) S3 Bucket.
I thought, ‘Let’s play around a little bit.’ The first thing I did was try accessing another directory, but I had no luck. However, when I visited the S3 bucket URL directly, I noticed that files were listed on the page. I attempted to access one of the files displayed and succeeded. As I accessed the contents of the bucket, I noted that it was set to be publicly accessible.
What is AWS?
AWS stands for Amazon Web Services which is a secure cloud services platform, offering compute power, database storage, content delivery and other functionalities.
What is Amazon S3?
Amazon S3 stands for Amazon Simple Storage Service which is an object storage service that offers industry-leading scalability, data availability, security, and performance.
The next thing I did was start reading AWS S3 documentation for a better understanding.
Documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/index.html
I also found many articles about AWS S3 Bucket misconfiguration. After reading them, I prepared my environment for testing.
Technical Analysis:
ACLs
Amazon S3 considers a bucket or object ACL public if it grants any permissions to members of the predefined AllUsers or AuthenticatedUsers groups.
Bucket policies
When evaluating a bucket policy, Amazon S3 begins by assuming that the policy is public. It then evaluates the policy to determine whether it qualifies as non-public. To be considered non-public, a bucket policy must grant access only to fixed values (values that don’t contain a wildcard or an AWS Identity and Access Management Policy Variable) for one or more of the following:
- An AWS principal, user, role, or service principal (e.g.
aws:PrincipalOrgID) - A set of Classless Inter-Domain Routings (CIDRs), using
aws:SourceIp. aws:SourceArnaws:SourceVpcaws:SourceVpceaws:SourceOwneraws:SourceAccounts3:x-amz-server-side-encryption-aws-kms-key-idaws:userid, outside the pattern "AROLEID:*"s3:DataAccessPointArns3:DataAccessPointAccount
Example : Public bucket policies
Under these rules, the following example policies are considered public.
{
"Principal": "*",
"Resource": "*",
"Action": "s3:PutObject",
"Effect": "Allow"
}{
"Principal": "*",
"Resource": "*",
"Action": "s3:PutObject",
"Effect": "Allow",
"Condition": { "StringLike": {"aws:SourceVpc": "vpc-*"}}
}Useful AWS CLI Commands
ls
List S3 objects and common prefixes under a prefix or all S3 buckets. Note that the — output and — no-paginate arguments are ignored for this command.
cp
Copies a local file or S3 object to another location locally or in S3.
mv
Moves a local file or S3 object to another location locally or in S3. The mv command copies the source object or file to the specified destination and then deletes the source object or file.
Options
--no-sign-request (boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
Prerequisites:
- Installing the AWS Command Line Interface
Now, we need to install the AWS CLI.
pip install awscli
After installation, check whether it is perfectly installed.
aws --version
2. Making an Amazon AWS Account
For that make an account here and Fill the details and Sign in to the console.
3. Getting Access Keys
After signing in, go to https://console.aws.amazon.com/iam/ and click on Users.
- Create User
- Create Access Key
4. Configuring the AWS CLI
Go to your terminal and type
aws configure
5. Checking for vulnerable S3 Bucket
aws s3 ls s3://[bucketname]
Now there are few commands/operations we can try on it.
Read File: aws s3 ls s3://[bucketname] --no-sign-request
Move File: aws s3 mv test.txt s3://[bucketname]/test2.txt --no-sign-request
Copy Files : aws s3 cp test.txt s3://[bucketname]/test2.txt --no-sign-requestTesting Phase:
Read File:
aws s3 ls s3://edumedias --no-sign-request
Due to misconfiguration, attacker can access the contents of the S3 bucket, which is very dangerous for sensitive content such as users’ personal data and documents. An attacker could extract all this data, potentially causing a data breach.
Steps to Reproduce:
1. Obtain the S3 bucket URL: https://edumedias.s3.amazonaws.com
2. Access the URL in a web browser or using command-line tool AWS CLI.
Observe that the contents of the S3 bucket are accessible without requiring any authentication.
Command:
Request:
aws s3 ls s3://edumedias — no-sign-requestResponse:
PRE 25July21_IPM/
PRE 3/
PRE 4th July IPM/
PRE AWES/
PRE App/
PRE BCI/
PRE BEL/
PRE BSEB/
PRE Backup_RD-27523/
PRE BioMetric/
PRE CB/
PRE CBTExam/
PRE CGDA/
PRE CGPSC/
PRE CIP/
PRE CURAJ/
PRE DB-BACKUP/
PRE DBS_Team/
PRE Datashare/
PRE ELBLogs/
PRE FRI/
PRE GMU/
PRE HC23/
PRE HC_1/
PRE IBPS/
PRE IGCAR/
PRE IIP/
PRE IPM23/
PRE JEST/
PRE OIL/
PRE Project PC/
PRE QP_Team/
PRE RML/
PRE Rdsbkup/
PRE TB-V/
PRE TIFR/
PRE VDO/
PRE examedia/
PRE pab/
2023–07–13 15:24:11 52029952 db_elmah_log.bakImpact:
The impact of this vulnerability is severe and can result in the unauthorized disclosure of sensitive data.
By accessing the publicly exposed S3 bucket, an attacker could obtain and misuse confidential information, personally identifiable information (PII), and documents belonging to job seekers and employees.
Sensitive Data Exposed:
10th Marsheet
12th Marsheet
Caste Certificate
Diploma Marsheet
Employment Exchange Registration Card
GraduationTrade_Upload Marsheet
NOC_Certificate
NOC_from employer
National_Apprenticeship Certificate
NonCreamy_Layer Certificate
Photo
Proof_of Date Of Birth
Signature
State_Nursing Council Registration Certificate
Trade_Upload MarsheetProof of Concept (POC):
Remediation:
If the S3 bucket contains any sensitive content, never allow public access. Ensure that Block all public access is turned on.
After finding the vulnerability, I immediately created a vulnerability report and sent it to CISO@oilindia.in, vdisclose@cert-in.org.in and incident@nic-cert.nic.in.
Disclosure Timeline:
- July 15, 2023: Vulnerability reported to Oil India Limited and CERT-In
- July 15, 2023: Initial response received from Oil India Limited and CERT-In
- Sep 12, 2023: Vulnerability fixed
- Sep 20, 2023: Acknowledgement received from Oil India Limited
- May 1, 2024: Public disclosure
Kudos to the OIL India Limited team for their swift and effective mitigation of the identified vulnerability.
Thank you for reading. I hope you enjoyed reading the write-up!
References:
Open for Private Program Invitations. Reach out to me at brutexploiter@bugcrowdninja.com and brutexploiter@wearehackerone.com
Twitter : https://twitter.com/brutexploiter
Linkedin : https://www.linkedin.com/in/brutexploiter
