Hacker News new | ask | show | jobs
by syn0byte 2510 days ago
Lots! Tons and Tons and Tons! S3 is super secure and CAN NOT be hacked when properly configured and used according to our standard!

You got hacked? You must have configured it wrong because we already told you it was unhackable; Good luck proving it was our fault not yours.
3 comments
SmellyGeekBoy 2510 days ago
> Good luck proving it was our fault not yours.

Seems like it would be incredibly easy to prove that an S3 bucket was misconfigured in such a way that the data was publicly accessible. In fact this has been the case in the recent high-profile cases that I can recall.

link
giggzy2 2506 days ago
The S3 bucket was not public.

The hacker got ephemeral keys by remotely exploiting the WAF. The WAF had no reason to have privileges to read from S3, that was a mistake.

I’m unclear if data in bucket was encrypted at rest but I guess if you get keys to read it’s a moot point.

link
eropple 2510 days ago
Can you actually substantiate a S3 security problem that wasn't user error? Because I've yet to hear of one.
link
buboard 2510 days ago
not sure if serious
link