Techly NewsGet the app

Get the latest tech news

Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA


The “Shadow Resource” flaws enabled attackers to pre-claim other users’ S3 buckets as their own.

The discoveries by Aqua Security’s Nautilus research team were presented in the session ” Wednesday morning at the cybersecurity conference held this year in Las Vegas. “While this process can take some time, you need to consider that in big organizations with hundreds of accounts and thousands of users the probability of occurrence is high,” the researchers noted in a blog post. Depending on the service, exploitation of the vulnerability could result in different impacts: manipulating the code of Glue jobs could lead to remote code execution (RCE), injecting code into Jupyter notebooks uploaded by EMR could enable cross-site scripting (XSS) attacks, reading and writing of SageMaker datasets could lead to theft or manipulation of AI training datasets and squatting of CodeStar S3 buckets can lead to denial-of-service (DoS) due to the inability to create new projects using another account’s bucket.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of AWS

AWS

Photo of aws services

aws services

Photo of Black Hat USA

Black Hat USA

Related news:

News photo

AWS 'Bucket Monopoly' attacks could allow complete account takeover

News photo

Japan's Fugaku supercomputer released in virtual version that runs in AWS

News photo

21 More AWS Services They Should Cancel

« Nokia goes from phones to drones with Swiss service rollout