Username Disclose at s3 Balsamiq

Weakness : Information Disclose
Scope: None
Severity: Low

  • Username Disclose Though x-amz-meta-s3cmd-attrs header:
  • Request :

GET /mockups-desktop/Balsamiq_Mockups_3.5.5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: <REDACTED>
Connection: close
Upgrade-Insecure-Requests: 1

  • Response :


  • Most Importantly Don’t store username in x-amz-meta-s3cmd-attrs header:


  • Attacker’s Can Leverage Such Information While Attacking .
  • x-amz-meta-s3cmd-attrs header stores information related to the computer and the user while syncing the information. Adding the parameter “ — no-preserve” avoids the storage of the username.

Use — no-preserve to prevent storing of these informations.

See s3cmd — help:

-p, — preserve Preserve filesystem attributes (mode, ownership, timestamps). Default for [sync] command.
— no-preserve Don’t store FS attributes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store