Improper Storage of Private Project’s Files

Severity: High

Complexity: Easy

Weakness: Improper Storage of files on S3 Buckets

• While Testing one of the private on Hackerone , Their Main Feature functionality is to Write code for Their project and save the project’s as (Private/Public)
• Whenever we store something in public Project . it’s files get store to

https://REDACTED.s3.amazonaws.com/sagewfextdg/uploads/ 1494851423/1.py

Here sagewfextdg is the ID for the PUBLIC Projects

• Same thing tried with Private Projects :

https://REDACTED.s3.amazonaws.com/sawexvecswt/uploads/ 1494851123/1.py

Here sawexvecswt is the ID for the Private Projects

• Now we got ID for Public/Private projects files at s3 Bucket where files are getting saved.

/uploads/1494851423/1.py

• Only thing we have this/1494851423/ which is nothing but timestamp

Timestamp is encoded information identifying current date-month-year-hour-minutes-seconds

• You can convert the timestamp to human readable format from here http://www.unixtimestamp.com/
• Wrote a simple script to generate timestamp for whole day(24 hours) using datetime python module and Started Fuzzing

Demonstrated by Placing simple .JPG File in Project

• Able to access private files of Other User’s.

• They have Added Auth Token Verifier to View or Download Files from S3 Bucket as a FIX.