What’s the latest on the web, Time Warner Hacked is what it’s about now as a bad AWS S3 config (once again) exposes the details of approximately 4 Million subscribers.
This follows not long after the Instagram API leaking user contact information and a few other recent leaks involving poorly secured Amazon AWS S3 buckets and I’d hazard a guess that it won’t be the last.
Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.
Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.
Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.
When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.
“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.
This is also not the first Data Leak to involve a poorly secured Amazon S3 bucket (to be fair, AWS IAM is pretty complex).
Still, that’s no excuse if your people can’t understand it – hire someone who can secure your buckets properly (per app, separate users for each). Too many dev teams just use the root account credentials for accessing everything which is the worse possible way to use S3.
“Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”
The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.
A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup and is notifying the customers who were exposed.
“Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them,” Charter said. “There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords.”
This Time Warner hack has exposed some pretty juicy information, thankfully no credit card details appear to have been leaked but everything else you need to social engineer an account is there, or even in a worse case scenario to hijack someone’s identity.
It’s also not really surprising to me that it’s been that way for some time (possibly even 7 years?) as by default S3 is publically accessible and if you don’t change it nothing will break so it’s very easily forgotten.
Source: The Register
engineer says
By default S3 buckets are not public.
Darknet says
They used to be IIRC, but I could be wrong, well I guess more accurately the easiest way to get access to it programmatically is just to set it to public.
Engineer S says
Yes, it had to be configured to be open to the web. This story is not really about AWS. It’s about bad IT controls and careless engineering.
I wouldn’t even call this a hack, if it’s left open to the public.
Alan M says
Broadsoft was responsible for exposing the Time Warner Cable (TWC) data. Time Warner (TC) is an entirely separate entity (TC does NOT = TWC).
Darknet says
Hey thanks for that clarification Alan.
Tracie says
Also time Warner cable is no longer TWC . it is now spectrum.
Ryan Dymek says
Buckets have zero access beyond the creator. “Easiest way to grant access is to make it public”… that same statement applies to a cisco firewall in an onprem enterprise. And allow any rule is simple but terribly wrong. IAM or bucket policies are no more complex than any enterprise grade firewall. Lets not excuse the behavior of the admin due to ignorance.
Darknet says
Not excusing it, just saying it happens that way, same reason by MongoDB worked out of the box with no auth and listening on every interface. Not ideal, but a lot of things are done in the name of ease and speed of deployment rather than looking at it with an eye on risk and the repercussions.