Posted on July 20, 2022
Video and picture drip through misconfigured S3 buckets
Typically for images or any other asserts, some form of Access Control List (ACL) could be set up. A common way of implementing ACL would be for assets such as profile pictures
The important thing would act as a “password” to get into the file, in addition to password would simply be provided users who require usage of the image. When it comes to an app that is dating it’s going to be whoever the profile is presented to.
I’ve identified several misconfigured buckets that are s3 The League throughout the research. All photos and videos are inadvertently made general general general public, with metadata such as which user uploaded them when. Usually the application would obtain the pictures through Cloudfront, a CDN on top of this buckets that are s3. Unfortunately the underlying S3 buckets are severely misconfigured. (more…)