Photo and video clip drip through misconfigured S3 buckets

Typically for images or any other asserts, some form of Access Control List (ACL) will be set up. For assets such as for instance profile photos, a standard method of applying ACL could be:

The important thing would act as a “password” to gain access to the file, together with password would simply be provided users who require usage of the image. When it comes to a dating application, it’s going to be whoever the profile is presented to.

We have identified several misconfigured buckets that are s3 The League through the research. All images and videos are unintentionally made general general public, with metadata such as which user uploaded them so when. Typically the application would obtain the pictures through Cloudfront, a CDN on top of this buckets that are s3. Unfortunately the s3 that is underlying are severely misconfigured.

Side note: in so far as i can inform, the profile UUID is arbitrarily created server-side as soon as the profile is established. In order for part is not likely to be really easy to imagine. The filename is managed because of the customer; the host takes any filename. In your client app it’s hardcoded to upload.jpg .

The seller has since disabled listObjects that are public. Nonetheless, we nevertheless think there must be some randomness when you look at the key. Read more «Therefore I reverse engineered two apps that are dating.»