AWS Temporary Credentials Leakage

Security Incident

AWS secret keys are exposed by the client application in the browser during authentication to AWS services.

Description

During penetration testing of an application, I reported a critical sensitive information disclosure issue on AWS keys being exposed in cleartext. The client application via the browser was making an API call to retrieve AWS temporary credentials (AWS Roles) as a part of the response payload with a TTL of 1 hour

The client application would then make another API call to authenticate to one of the AWS managed service used for data analytics passing these credentials as a part of the request payload. Post authentication, it would pass on the information needed for user search analytics.

“Region” : “us-west1”, “channel” : “test”,“partition_key” : “ ”, “sts” : {“access_key_id”:“BAIA3QUWOQKC5JHLYRNY”,”secret_key” : “tsmk408NM82r+oHk88/TR/vN892Rxeaschkashckacl”……..

As seen in below diagram, the AWS keys are sent to the user browser and then sent to Kinesis that exposes AWS keys in the browser.

Impact

Adversaries could use API clients to directly authenticate to this AWS service and tamper information by manipulating this information. This could lead to incorrect user search analytics.

Remediation

Leverage API gateways and delegate these API calls to the backend so that the client applications do not have to need AWS keys required to directly authenticate to AWS services. As seen, in the below diagram, the design does not send the credentials to the client browser and authentication is completely implemented in the backend.

Author: Vikas Suhane



Leave a Reply