CloudSquatting by Barrage Security
We have identified a pervasive issue where websites or applications erroneously reference abandoned cloud resources. An attacker can easily take over these abandoned resources and potentially steal logins, payment info, modify website content, or even take control of computers. We have dubbed this class of vulnerabilities “CloudSquatting”. In a short time window, we identified 18 million requests to abandoned resources, affecting over 10,000 applications including one of the most popular social media apps today.
The issue arises when an application references an object stored in cloud providers, where the object storage location no longer exists. This can be due to many reasons such as cloud provider account closure or a third-party integration being shut down. The naming convention of these object stores relies on just the common name of the storage location like “my-special-storage-location” to register and subsequently reference the object store. Since there is no scope of ownership of deleted resources, anyone with an account with the cloud provider can start squatting on the resource and serve arbitrary content.
- Quantifying Scope
- Responsible Disclosure of Affected Applications
- Build Tooling to Detect and Remediate
- Deliver Recommendations
The team would like to thank the following indiviudals and groups for their valuable insight and support during the course of the research project:
Dr. Sekhar Sarukkai
Prof Ryan Liu
Center for Long-Term Cybersecurity
Our fellow cohort members