Back in January 2018 while at NDC London, Scott Helme introduced me to an interesting new technique for finding Amazon S3 buckets, Using the certificate transparency logs that are created when someone creates a new certificate, you can use the domain names as the wordlist for finding buckets. Its a novel approach as normally most people use the Alexa top 1 million list.
Luckily there was a tool already
for this on GitHub called bucket stream. I demo’d it at NDC Security Day in
Oslo and left it for a bit before coming back to it again in March and deciding
to do some digging and see what was out there. After about one hour, I had
circa 500 open addresses.
What bucket stream doesn’t show is
the content of the buckets, only that they are open, and the permissions
associated. To get the contents, you can either visit the site manually and
scan it or find another tool. In this case, that was bucket-finder which will list the contents of an S3 bucket and give you the public or
private attributes.
Having an open S3 bucket is not a
bad thing. For example, you can use it as storage for a website or other such
things, but when you use it for storing sensitive data and leave it open, this
is a serious problem
The output from bucket-finder
showed several issues such as config files, source code and other potential
information disclosures. Bucket finder only gets the top 1000 files via the AWS
S3 API. To simplify things, I loaded the results into a small SQL database for
analysis. I found all the sites that had 1000 files and did a quick visual scan
to see what they contained and if there was a way to identify the owner if the
need arose.
One such owner was True Move H, the
second largest mobile operator in Thailand (source: Wikipedia).
Their name was in the folder that contained many files mainly JPGs and PDFs.
The interesting thing that was I first observed was it was the format of truemoveh/idcard/YYYY/MM/FILENAME.
I checked the first couple of files
in the directory and it was a picture of a Minion from Despicable Me and some
were logos. This led me to believe that it was a development server, but the
site name contained -prod, so I scrolled further down and opened a later file
which was a scanned ID card of a Thai citizen.
At this point, I realised that they
were storing scanned ID cards that they got from customers in this S3 bucket
and there was no security on it at all protecting the files. Simply, if you
found the URL, you could download all their customers scanned details.
In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.
In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.
I connected with True Move H on
Twitter to ask for some contact information and they sent me to their support
email address.
I sent the details to their support
department a full report on Saturday 10-Mar detailing how this was found,
examples of the files that were available and asking to talk to their security
team.
The response was quite shocking.
They admitted not having a security department and that I should contact their
head office between business hours
Now it was a case of trying to
figure out what to do. I contacted Scott Helme to get his advice on the most
effective course of action. He suggested that I should contact some journalists
to help put some pressure on them to get this blatant problem fixed. Scott
connected me John Leyden of The Register who also pushed True Move H to fix it.
We had heard nothing for 2 or 3
weeks and I decided that I was going to press the issue finally and told them
on Mon 02-April that I would be publishing an article the following week.
On Wed 04-04 both John and I
received identical messages from True Move H, saying that a team had been
informed and were working on it.
I checked again on Thursday
12-April 10:00 to verify if the files were available still and they were. At
19:00 they had finally been made private.
Unfortunately, this is not the
first time this company has had issues with ID cards. Back in 2016, True Move H
issued a sim card to a thief without checking ID first and the person linked to
the SIM card lost a substantial sum of money.
Along with T-Mobile Austria last week and other telco's are serious failing at security and protecting their customers privacy. You should connect with your provider and ask what they are doing to ensure this type of thing doesn't happen.
Update: 14-04-2018 : True Corp has issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai
Update: 14-04-2018 : True Corp has issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai
5 comments:
A couple of years ago the Thai government announced all SIM cards had to be registered and everyone had to go to their mobile provider and get their passport or ID card scanned. That's why they have these scans. 46k would be only a subset of all that they hold.
Niall, in the official statement True claims that they do not own the S3 bucket and the information was stolen and uploaded to that bucket. Is there a way to verify the owner of that bucket?
Do you have a link to the statement?
I could not find any website where they post about official statement. However, you can read it from some trusted news website here (In Thai language)
http://daily.khaosod.co.th/view_news.php?newsid=TUROd01EVXdNVEUxTURRMk1RPT0=§ionid=TURNek5RPT0=&day=TWpBeE9DMHdOQzB4TlE9PQ==
Dear Mr. Merrigan,
I would like to thank you for your help in preventing the data leaks from Truemove H company and I guess that I might be a victim of this incident too.
As comments above, I also heard that True stated that the data was hacked but I haven't seen the real statement yet.
Since now both Truemove H company and our government offices are enjoying the long holiday, there is no update until Tuesday 17th.
Post a Comment