AWS Services: AWS Temporary Credentials Leakage

Security Incident

AWS secret keys are exposed by the client application in the browser during authentication to AWS services.


During penetration testing of an application, I reported a critical sensitive information disclosure issue on AWS keys being exposed in cleartext. The client application via the browser was making an API call to retrieve AWS temporary credentials (AWS Roles) as a part of the response payload with a TTL of 1 hour

The client application would then make another API call to authenticate to one of the AWS managed service used for data analytics passing these credentials as a part of the request payload. Post authentication, it would pass on the information needed for analytics.

“sts” : {“access_key_id”:“BAIAXXXXXXXXXXXXXXX”,”secret_key” : “tsmXXXXXXXX+XXXXX/XX/XXXXXXXXXXXXXXXXXXXX”……..

As seen in the below diagram, the AWS keys are sent to the user browser and then sent to the data analytics service that exposes AWS keys in the browser.


Adversaries could use API clients to directly authenticate to this AWS service and tamper information by manipulating this information. This could lead to incorrect user search analytics.


Leverage API gateways and delegate these API calls to the backend so that the client applications do not have to need AWS keys required to directly authenticate to AWS services. As seen, in the below diagram, the design does not send the credentials to the client browser and authentication is completely implemented in the backend.

Author: Vikas Suhane

1 Comment

  • Marisela Poovey

    Everything is very open with a very clear explanation of the challenges. It was definitely informative. Your site is very helpful. Thanks for sharing!

Leave a Reply