Researchers Uncover 'Massive Security Flaws' In Amazon Cloud
Andrew R. Hickey
Security researchers from Ruhr-University Bochum (RUB) found that Amazon Web Services was vulnerable to different methods of attack, including signature wrapping and cross site scripting, Those security holes have since been closed.
But similar security holes may still be open in other cloud infrastructure offerings, the RUB team found.
"Using different kinds of XML signature wrapping attacks, we succeeded in completely taking over the administrative rights of cloud customers," said RUB researcher Juraj Somorovsky in a statement. "This allowed us to create new instances in the victim's cloud, add or delete images."
The researchers suggested that many cloud offerings are vulnerable to signature wrapping attacks, due to a deviation between performance and security when dealing with Web services.
Along with cross scripting attacks, the researchers uncovered gaps in the AWS interface and in the Amazon online story through which executable script code could be smuggled, or open to cross-site scripting attacks. Through the attack, the RUB security team was able to access customer data.
"We had free access to all customer data, including authentication data, tokens, and even plain text passwords," said RUB researcher Mario Heiderich. "It's a chain reaction. A security gap in the complex Amazon shop always also directly causes a gap in the Amazon cloud."
In a statement e-mailed to CRN, an Amazon spokesperson said that Amazon works with security researchers around the world to identify potential vulnerabilities and to inform and educate cloud users about maintaining security processes in the cloud. In this case, the potential vulnerabilities uncovered by RUB did not impact any Amazon customers.
"It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported," the Amazon spokesperson said. "Additionally, customers fully implementing the AWS security best practices were not susceptible to these vulnerabilities."
The potential security holes revealed by RUB researchers also did not have the impact that the researchers indicated. Amazon added that the potential vulnerabilities highlighted were corrected months ago.
"Regarding Amazon specifically, researchers did not have access to all Amazon.com customer data as has been reported," Amazon said. "The process by which Amazon.com stores customer data would not enable researchers to see and expose information such as passwords or payment information as has been suggested. Additionally, the potential vulnerability reported by these researchers would require customers to intentionally follow a specific script and take various specific actions that had been created by the researchers."
Along with Amazon's public cloud offerings, the RUB security crew also found single wrapping attack and cross site scripting vulnerabilities in private cloud services, including open-source cloud play Eucalyptus Systems. Eucalyptus also immediately closed the security gap when notified by RUB researchers.
"A major challenge for cloud providers is ensuring the absolute security of the data entrusted to them, which should only be accessible by the clients themselves," said Prof. Dr. Jorg Schwenk.
Somorovsky added: "Therefore it is essential that we recognize the security gaps in cloud computing and avoid them on a permanent basis.