Re: [PLUG] Dell disaster

Rich Freeman via plug on 4 May 2021 07:43:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Dell disaster

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: jeffv <jeffv@op.net>
Subject: Re: [PLUG] Dell disaster
Date: Tue, 4 May 2021 10:43:21 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Tue, May 4, 2021 at 10:26 AM jeffv via plug
<plug@lists.phillylinux.org> wrote:
>
> Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys
> https://thehackernews.com/2021/05/over-40-apps-with-more-than-100-million.html
>

I really dislike the style of reporting in this one.  They apparently
found 40 apps with 100M installs that contained an AWS key.  Then they
go on to talk about the worst-case possibilities and a few examples of
stuff that might be bad.  They talk about a few examples of apps with
AWS keys.  However, there is no indication of the impact of any
individual app's use of a key.  This sort of juxtaposition tends to
imply that the specific apps they list have the specific flaws they
list, but they don't actually say that (probably because it isn't
true).

API keys are pretty common and hard to avoid in mobile apps, and
really this is just one more example of them.  They aren't necessarily
security problems if managed properly.  Maybe one of those apps is
popular with 20M installs and all the key does is provide read-only
access to some small S3 buckets containing configuration info that
might need to be updated.  That isn't really a vulnerability - sure,
it costs you money every time somebody GETs the URL, but the same is
true of ANYTHING you distribute from any sort of server.

The problem with the way they mix things is that it implies that the
popular apps with all those installs contain the sorts of worst-case
problems that the website talks about.  Instead there could just be
some popular apps following best practices, and somewhere in the list
there is this app with 10 downloads that has fairly permissive AWS key
that is an incident waiting to happen.

Also, most of the problems this exposes are problems for the companies
distributing the apps, not the customers, except to the degree that
the app collects customer data, and I'd argue that is an exposure for
the customer no matter how secure their APIs are.

Obviously the lesson here is that when you're using AWS you should be
managing your identities and not sticking access keys with a lot of
permissions in things you mass distribute.  However, there really is
no way to completely prevent theft of service and so on when you're
doing something like this, whether you use a cloud provider or
self-host.  If that app has a way to get your server to do some work,
then ANYBODY can use its credentials to do the same in any context.
All you can do is try to limit the attack surface.  Really though if
somebody wants to run up your AWS bill all they need to do is just
hammer your website with GETs or whatever, and the same applies to
self-hosting.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Dell disaster
  - From: jeffv via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] Dell disaster
Next by Date: Re: [PLUG] [plug-announce] Wed May 5 - PLUG Central - "Introduction to the OGC API" by Jerome St-Louis (7pm online)
Previous by thread: [PLUG] Dell disaster
Next by thread: [PLUG] DNS outage
Index(es):
- Date
- Thread