BOOK THIS SPACE FOR AD
ARTICLE ADHello friends, It’s me 1day, back with another interesting vulnerability I found in my Bug hunting journey. I’m a self taught cybersecurity enthusiast who loves to do bug hunting & programming.
In this article i’m going to show you how I was able to escalate a leaked ID to a full S3 bucket dump. This is my first critical Cloud based vulnerability.
Discord : Join my discord channel here
I was hunting on a program on bugcrowd for like 2 months now (Private program). Let’s call the target labs.redacted.com .
This subdomain has nothing except a “Login with Company SSO” button. Which can only be logged in by the authorised user’s who were in the company’s SSO. The backend used AWS Cognito services for the User sign-in and management.
I started hunting on this subdomain at 3PM in the evening and i found nothing until it’s 7PM…
In the Local storage we can see a key and value which says something with com.amplify.Cognito.eu-west-1.blalalalalalalalalala.identityId and a value.
I was waiting for this moment my whole life!!
An identityId is a unique identifier assigned to a user within an Identity Pool in AWS Cognito. It serves as a reference to a user, whether they are authenticated or unauthenticated.
It’s not a credential but an ID which can be used to retrieve temporary AWS credentials via Cognito.
Now most of y’all will not be familiar with what Amazon Cognito is.
AWS Cognito is a fully managed service that provides authentication, authorization, and user management for web and mobile applications. It simplifies adding secure sign-up, sign-in, and access control to your applications, supporting various authentication methods such as social logins, SAML, OpenID Connect, and custom authentication.
Identity Pools, a component of AWS Cognito, helps developers to manage and grant temporary, fine-grained access to AWS services like S3, DynamoDB, or Lambda. They work by providing users with temporary AWS credentials through AWS Security Token Service (STS).
IAM roles linked to the Identity Pool determine what AWS resources the user can access.
So if the Identity Pool has excess permissions to access the AWS resources, An unauthenticated user can access the sensitive resources such as S3 buckets, DynamoDB etc.
Now you know how Identity Pools work in AWS Cognito, Let’s see how i was able to access sensitive information just by using the IdentityId exposed in the Local storage.
eu-west-1:e3923078-cccc-bbbb-aaaa-xxxxxxxxxxxx
The API call to request temporary credentials is get-credentials-for-identity which is present inside the cognito-identity .
So let’s use awscli to perform this API call to get a set of temporary credentials…
aws cognito-identity get-credentials-for-identity --identity-id "eu-west-1:e3923078-cccc-bbbb-aaaa-xxxxxxxxxxxx"This API call responded me with a set of temporary credentials which is valid for 1 hour.
Now you can see we have Credentials for a Cognito temporary user which has all permissions which are assigned to the respective Identity Pool.
Now I created a user in my awscli with these credentials …
aws configure --profile anythingand passed in all the values it asked:
Now the main part, we got the credentials of a temporary account, so it does have a session. We need to set the session manually in our ~/.aws/credentials file.
We should manually add a key called aws_session_token and set the value as the SessionToken we got from the get-credentials-for-identity , and save the file.
Now we’re successfully authenticated, To test our authentication, Lets call the get-caller-identity in the sts service of AWS.
aws sts get-caller-identity --profile profilenameThis shows that we’re successfully authenticated.
Now the crucial part! What all can i access with this account?
I used a tool called aws_enum_services.py from https://github.com/NotSoSecure/cloud-service-enum.git
We just need to run the tool with the AWS profile we need and it will go try fetching all the AWS services and tells us the service we can access using the profile.
BOOM! Now you can see we have access to S3 buckets. We can now read all the contents in the S3 buckets and this is a sensitive data exposure.
Unfortunately, I cannot show you even the filenames in these buckets because it was highly confidential data. Where it exposed blueprints for their software designs (SRS documents) and more. This could be a huge loss for the company.
This was my quick, short writeup on how i was able to pull up this attack. I reported this vulnerability to the company, The company usually takes almost 1–2 months to triage and paying out bounties.
This was reported as a P1 (Sensitive information disclosure) of company’s internal.
Please clap for this writeup if you’ve enjoyed this.
Thankyou :)