Hacker News new | ask | show | jobs
by sodality2 1949 days ago
My first thought was "why is salesforce publishing essentially a hacking tool? why can't they bring it up privately, surely a large enough company will have some weight to their request?" but then I remembered AWS...

>At the time of this writing, AWS Access Analyzer does NOT support auditing 11 out of the 18 services that Endgame attacks. Given that Access Analyzer is intended to detect this exact kind of violation, we kindly suggest to the AWS Team that they support all resources that can be attacked using Endgame

...and it's not even a hacking tool!
1 comments
kmcquade 1949 days ago
Author here :) Endgame exploits/abuses features. If it was a bug, I'd work with AWS to solve the problem, but with abusing features - that would result in years of unsatisfied feature requests. This should push the issue along.

>...and it's not even a hacking tool! It can be used to backdoor resources to rogue accounts, so I'd say it's a hacking tool and can/should be used on penetration tests. I'd certainly use it on a pentest :)

link
PeterCorless 1949 days ago
404. Did they pull the repo or make it private?

https://github.com/salesforce/endgame

link
dvaun 1949 days ago
Here is one of many forks: https://github.com/agnivesh/endgame/
link
Mandatum 1949 days ago
https://web.archive.org/web/20210216140035/https://github.co...
link
Operyl 1949 days ago
I'm impressed you were able to get your employer (Salesforce) to actually let you publish this under their organization. Kudos to that.
link
mushufasa 1949 days ago
Salesforce also runs Heroku, which is one of the biggest AWS wrappers around. I'm really glad they're active in security auditing here, it's a real value add to customers of Heroku / Salesforce services to see evidence of their work to analyze security.
link
kerng 1949 days ago
Yes, surprised also, given past stories around Defcon.

I think it's great to have audit tools like this. It makes people realize how vulnerable their accounts are.

Does a similar tool exist for Salesforce and Heroku?

link
jasperran 1949 days ago
Not sure what the shock is with seeing security tools like this released, the vast majority of security tools are open source, how is this different to what we have been seeing the past 30 year?

Not to mention companies such as Google, Netflix and Mozilla all release security tools just like this.

link
Mandatum 1949 days ago
I guess they didn't.
link
Operyl 1949 days ago
That’s what I was expecting to happen, unfortunately.
link
sodality2 1949 days ago
Well, you know the saying about eggs and omelettes. I wish you luck with getting AWS to listen to you!
link
kmcquade 1949 days ago
Thanks :)
link
Blahah 1949 days ago
Can you share the code somewhere else? It's been taken down from github
link
cambalache 1949 days ago
https://files.pythonhosted.org/packages/0c/f0/9eced7d6c57483...
link
jeffmcjunkin 1949 days ago
Bugs get patched. Features are protected, and sometimes simultaneously abused. Thank you!
link
stjohnswarts 1949 days ago
So did you just put this out there or did you give AWS Security peeps a week or two notice?
link
jasperran 1949 days ago
This isn't exploiting a vulnerability. This requires authentication and uses AWS features. Why would they need to alert AWS?
link
denismurphy 1949 days ago
you're an evil genius
link