These two major AWS security flaws could have left user accounts wide open

Amazon Web Services logo
(Image credit: Future / Mike Moore)

Amazon Web Services (AWS) has been forced to patch two major security vulnerabilities, which could have been used to steal sensitive data, reports have claimed.

The two vulnerabilities in Amazon’s cloud computing arm were discovered by cybersecurity researchers from Orca Security, and were dubbed Superglue and BreakingFormation.

Superglue exploits an issue in AWS Glue, allowing users to access data managed by other Glue users. AWS Glue is a service which customers use to store huge swathes of data. 

A fix within a day

"We were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account," Orca said, "which provided us full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges."

By taking advantage of the flaw, Orca’s researchers managed to do a number of potentially malicious things, such as assume roles in AWS customer accounts trusted by Glue; query and modify AWS Glue service-related resources in a specific region; discovered a way to access data managed by other Glue users. It’s important to note that Orca did not actually gain access to anyone else’s data. 

BreakingFormation leverages a vulnerability found in AWS CloudFormation, a tool that lets users “model, provision, and manage AWS and third-party resources by treating infrastructure as a code.”

According to Orca, this vulnerability could have been used to steal sensitive data from third parties.

Orca’s researchers tested the fixes (which allegedly took AWS roughly 25 hours to code) and found that the vulnerabilities were fully patched and no longer exploitable.

Via: PCMag

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding a virtual cloud in the palm of their hand.
Amazon EC2 instances could be under fire from whoAMI technique giving hackers code execution access
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
AWS S3 feature abused by ransomware hackers to encrypt storage buckets
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over