A group of researchers have found that over 1,800 apps are leaking AWS and Amazon S3 data. The data could enable someone to access shared storage, SDKs, and other developer resources.
The apps contain tokens that enable access to private AWS services run by developers. Those services include file backups, resources, and other data that support the apps.
The Simple Storage Services (S3) buckets accessible from apps also contain data, backups and files.
"Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services," said Symantec's Threat Hunter team.
"The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps.”
One app provided by a B2B communications platform included an SDK that enabled the researcher to access its cloud infrastructure. This, in turn, allowed free access to all customer data, including financial records of over 15,000 organizations.
"Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company's AWS cloud services," the researchers noted.
If that wasn’t enough, the researchers also tested 5 iOS banking apps and found they all used the same AI Digital Identity SDK. This enabled access to the biometric login data of over 300,000 users!
The Symantec Threat Hunter has alerted the developers and organizations responsible and hopefully we’ll see fixes soon.
This is a big blow to the app environment as it shows that the apps we use every day could potentially be leaving us and our data exposed.
Perhaps now might be a good time to inventory what apps we use and perform a little housekeeping!