CG-2024-00003

Hope: Exposed Credentials in Public Buckets

Case: CG-2024-00003 Hope: Exposed Credentials in Public Buckets
Case lead: Soufian El Yadmani
Researchers: Gabriel Tarsia, Michael Rowley, Sophia Guarnotta, Tyler Kay
CWE(s): CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-522: Insufficiently Protected Credentials
Published: 15 April 2024 09:00 CET
Last updated: 19 Apr 2024

Summary

Public Buckets are exposed to the world at large. While they can be useful for things like websites and public data stores, it is unlikely that credentials will be intentionally placed here. During this case, we scanned large numbers of publicly exposed buckets from providers like:

• AWS S3
• Azure Blob Storage
• Google Cloud Platform Buckets

for credentials like:

• AWS Access Tokens
• OAuth Tokens
• API keys
• GCP Service Accounts

Response Actions

1. Remove the publicly exposed credentials from the bucket
2. Rotate the publicly exposed credentials
3. Determine if the other bucket contents should be public and restrict access appropriately
4. Analyse logs to determine if the exposed credential was abused
5. Undo abusive actions

For some credential types (notably cloud provider access), the potential for abuse is high and can lead to further lateral movement and privilege escalation. Amazon have provided some detailed playbooks to tackle these situations:

• Public Access to S3
• Incident Response: Data Access
• Incident Response: Compromised Credentials