Researchers spot 22 Amazon Web Services APIs that can leak information


    Palo Alto Networks researchers announced that they have found 22 Amazon Web Services (AWS) APIs across 16 AWS that can allegedly be manipulated to steal user data. According to researchers, this class of AWS APIs can be harmed to circulate the AWS Identity and Access Management (IAM) users a roles in arbitrary accounts across all three AWS partitions.

    “APIs are fast becoming the vehicle for customer experience personalization, These APIs in question dramatically reduce the effort required by organizations to build cloud-based and cloud-native applications. However, APIs are a double-edged sword – when implemented poorly, they provide unprecedented access to core transactional business systems”, said Setu Kulkarni, vice president, strategy at application security provider WhiteHat Security Inc.

    AWS services that can be potentially abused by attackers comprise Amazon Simple Queue Services (SQS), Amazon Key Management Service (KMS), and Amazon Simple Storage Service (S3). The exploitation begins when a vicious attacker may attain the listing of an account. Once the attacker has the listing, they can understand the organization’s internal structure and then takeoff targeted attacks against individuals.

    “Often, API security is narrowly and wrongly defined to only include API management,” said Setu Kulkarni. “API security should include API security testing to make sure that the APIs do not suffer from AppSec vulnerabilities. One may even argue that API security testing should also include ‘business logic assessments.’ They provide organizations the visibility into how a poorly designed API can reveal information that can be used as input into another API to get unprecedented access into not just more customer data but also to executing functionality on behalf of the customer.”

    The root cause of the problem is said to be that the AWS backend proactively assesses all of the resource-based policies connected to resources such as customer-managed keys and S3 buckets. Resource-based policies mostly comprise a Principal field that indicates the identities authorized to access the resource. The researchers say that though this is a useful feature, it can also be utilized to check whether an identity prevails in an AWS account. Policy validation is a feature from AWS that facilitates the user understanding.

    While most of the customers benefit from this feature, adversaries may also discover the feature helpful for conducting reconnaissance in another account. According to the researchers, detecting and deterring identity reconnaissance using this method is hard as there are no noticeable logs in the targeted accounts.

    Recent Articles

    Weekly Newsletter (25th Apr’ 21 to 1st May’ 21)

      Here’s the Weekly Newsletter from 25th April’ 2021 to 1st May’ 2021: 1. Moolympics #3: Diversity, Equity, and Inclusion through UX - Moolya Software Testing Private...

    OpKey University launched to provide advanced automation testing training

      Opkey announced on 26th April 2021 that the company has launched its own "Opkey University". According to OpKey University, software testing is a critical...

    Cypress 7.2.0 released with New Features and Bugfixes recently released Cypress 7.2.0 version, the new version comes with various bug fixes and new features. Users can now navigate through folders in...

    Moolympics #3: Diversity, Equity, and Inclusion through UX

      Moolya Software Testing Private Limited recently launched Moolympics which is a monthly competition series that covers different skills, values, cultures you bring to the...

    Weekly Newsletter (18th Apr’ 21 to 24th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. OpKey launches Industry’s First Marketplace for ERP Test Automation - Opkey recently launched...

    Related Stories

    Stay on op - Ge the daily news in your inbox