Improper Storage of Private Project’s Files

Severity: High

Complexity: Easy

Weakness: Improper Storage of files on S3 Buckets

  • While Testing one of the private on Hackerone , Their Main Feature functionality is to Write code for Their project and save the project’s as (Private/Public)
  • Whenever we store something in public Project . it’s files get store to

https://REDACTED.s3.amazonaws.com/sagewfextdg/uploads/ 1494851423/1.py

Here sagewfextdg is the ID for the PUBLIC Projects

  • Same thing tried with Private Projects :

https://REDACTED.s3.amazonaws.com/sawexvecswt/uploads/ 1494851123/1.py

Here sawexvecswt is the ID for the Private Projects

  • Now we got ID for Public/Private projects files at s3 Bucket where files are getting saved.

/uploads/1494851423/1.py

  • Only thing we have this/1494851423/ which is nothing but timestamp

Timestamp is encoded information identifying current date-month-year-hour-minutes-seconds

  • You can convert the timestamp to human readable format from here http://www.unixtimestamp.com/
  • Wrote a simple script to generate timestamp for whole day(24 hours) using datetime python module and Started Fuzzing
  • Able to access private files of Other User’s.
  • They have Added Auth Token Verifier to View or Download Files from S3 Bucket as a FIX.

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store