[phibit]

Another fun one that's becoming more common with cloud hosted services: access to internal metadata services that issue credentials.

Blocking file:// doesn't prevent access from > http://169.254.169.254/latest/meta-data/iam/security-credent....