- July 13, 2020
- Posted by: Swati.patel
- Category: Blogs
Security Incident
AWS secret keys are exposed by the client application in the browser during authentication to AWS services.
Description
During penetration testing of an application, I reported a critical sensitive information disclosure issue on AWS keys being exposed in cleartext. The client application via the browser was making an API call to retrieve AWS temporary credentials (AWS Roles) as a part of the response payload with a TTL of 1 hour
The client application would then make another API call to authenticate to one of the AWS managed service used for data analytics passing these credentials as a part of the request payload. Post authentication, it would pass on the information needed for analytics.
“sts” : {“access_key_id”:“BAIAXXXXXXXXXXXXXXX”,”secret_key” : “tsmXXXXXXXX+XXXXX/XX/XXXXXXXXXXXXXXXXXXXX”……..
As seen in the below diagram, the AWS keys are sent to the user browser and then sent to the data analytics service that exposes AWS keys in the browser.
Impact
Adversaries could use API clients to directly authenticate to this AWS service and tamper information by manipulating this information. This could lead to incorrect user search analytics.
Remediation
Leverage API gateways and delegate these API calls to the backend so that the client applications do not have to need AWS keys required to directly authenticate to AWS services. As seen, in the below diagram, the design does not send the credentials to the client browser and authentication is completely implemented in the backend.
Author: Vikas Suhane