Hacker News new | ask | show | jobs
by kmcquade 1955 days ago
Author here :) Endgame exploits/abuses features. If it was a bug, I'd work with AWS to solve the problem, but with abusing features - that would result in years of unsatisfied feature requests. This should push the issue along.

>...and it's not even a hacking tool! It can be used to backdoor resources to rogue accounts, so I'd say it's a hacking tool and can/should be used on penetration tests. I'd certainly use it on a pentest :)
7 comments
PeterCorless 1955 days ago
404. Did they pull the repo or make it private?

https://github.com/salesforce/endgame

link
dvaun 1954 days ago
Here is one of many forks: https://github.com/agnivesh/endgame/
link
Mandatum 1954 days ago
https://web.archive.org/web/20210216140035/https://github.co...
link
Operyl 1955 days ago
I'm impressed you were able to get your employer (Salesforce) to actually let you publish this under their organization. Kudos to that.
link
mushufasa 1955 days ago
Salesforce also runs Heroku, which is one of the biggest AWS wrappers around. I'm really glad they're active in security auditing here, it's a real value add to customers of Heroku / Salesforce services to see evidence of their work to analyze security.
link
kerng 1955 days ago
Yes, surprised also, given past stories around Defcon.

I think it's great to have audit tools like this. It makes people realize how vulnerable their accounts are.

Does a similar tool exist for Salesforce and Heroku?

link
jasperran 1955 days ago
Not sure what the shock is with seeing security tools like this released, the vast majority of security tools are open source, how is this different to what we have been seeing the past 30 year?

Not to mention companies such as Google, Netflix and Mozilla all release security tools just like this.

link
Mandatum 1954 days ago
I guess they didn't.
link
Operyl 1954 days ago
That’s what I was expecting to happen, unfortunately.
link
sodality2 1955 days ago
Well, you know the saying about eggs and omelettes. I wish you luck with getting AWS to listen to you!
link
kmcquade 1955 days ago
Thanks :)
link
Blahah 1955 days ago
Can you share the code somewhere else? It's been taken down from github
link
cambalache 1955 days ago
https://files.pythonhosted.org/packages/0c/f0/9eced7d6c57483...
link
jeffmcjunkin 1955 days ago
Bugs get patched. Features are protected, and sometimes simultaneously abused. Thank you!
link
stjohnswarts 1955 days ago
So did you just put this out there or did you give AWS Security peeps a week or two notice?
link
jasperran 1955 days ago
This isn't exploiting a vulnerability. This requires authentication and uses AWS features. Why would they need to alert AWS?
link
denismurphy 1955 days ago
you're an evil genius
link