upvote

points

by lijok12 hours ago |
comments
upvoteby why_only_1511 hours ago|
next
[-]
if your bucket name is ever exposed and you later delete it, then this doesn't help you.
reply
upvoteby lijok10 hours ago|
parent|
[-]
The entire article talks about “guessing” the bucket name as being the attack enabler, not the leaking of it. What does the landscape look like once you start doing the basics like hashing your bucket names? Is this still a problem worth engineering for?
reply
upvoteby Maxion12 hours ago|
prev|
[-]
I don't think that'd prevent this attack vector.
reply
upvoteby alemwjsl11 hours ago|
parent|
[-]
Ok; salt, and then hash your bucket names
reply
upvoteby xxs10 hours ago|
parent|
[-]
that doesn't help either. 'Salt' is public and usually different/unique per entry/name.

If you mean to use a "secret" prefix (i.e. pepper) then, that would generate effectively globally unique names each time (and unpredictable too) but you can't change the pepper and it's only a matter of time it'd leak.

reply
upvoteby tosti8 hours ago|
parent|
next
[-]
Random pepper. Or just, y'know, randomly generate the effing string. Can't be that hard.
reply
upvoteby lcnPylGDnU4H9OF8 hours ago|
parent|
prev|
[-]
If they can't make the bucket before you do then they are not "bucket squatting", and they can't do so for a salted and hashed bucket name without knowing the salt at runtime.

The public/private distinction seems moot here, too: the salt is a throwaway since you just need the bucket name.

Even if you do need to keep track of the salt, it should be safe for the attacker to know, at least with respect to this attack, because you already own the bucket which the attacker would otherwise hoard.

reply
upvoteby ethanrutherford1 hours ago|
parent|
[-]
The "squatting" part of "bucket squatting" is a bit of a misnomer here. The attack vector is actually in the opposite direction.

1. You set up an aws bucket with some name (any name whatsoever).

2. You have code that reads and/or writes data to the bucket.

3. You delete the bucket at some later date, but miss some script/process somewhere that is still attempting to use the bucket. For the time being, that process lies around, silently failing to access the bucket.

4. The bucket name is recycled and someone else makes a bucket with the same name. Perhaps it's an accident, or perhaps it's because by some means an attacker became aware of the bucket name, discovers that the name is available, and decided to "squat" the name.

5. That overlooked script or service is happy to see the bucket it's been trying to access all this time is available again.

You now have something potentially writing out private data, or potentially reading data and performing actions as a result, that is talking to attacker-owned infrastructure.

reply
upvoteby CloakHQ27 minutes ago|
parent|
[-]
[dead]
reply