its worse than this.
another, far worse wallet attack can also be used if they know the bucket name youre using in S3. they can generate an obscene amount of invalid requests you pay for that quickly ads up, and amazons response is 'so?'
this post was submitted on 02 May 2024
21 points (95.7% liked)
Cybersecurity
5971 readers
382 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 2 years ago
MODERATORS
The lead of s3 actually did indicate that they are planning changes in response to that article. Hopefully we see a change there soon.
Edit: found the link
thank pasta. this 'security through obscurity' policy is freakin me out
Totally agree. I have a close friend that works at AWS (although not anywhere close to s3) and this article was making the rounds internally. I know people have been upset about this, but it genuinely just sounds like one of those edge cases they overlooked until it was exposed. It sucks, but any developer has a good story of a time they've done it. Hopefully they get a fix out soon.
Would adding Cloudfront in front of the s3 bucket prevent against this type of attack? Does canceling the connection to the cloudfront distribution cause the same behavior with regard to s3 egress?