UNWITTING USERS of Amazon Web Services (AWS) are facing unexpected bills as a result of posting sensitive security credentials in plain sight on the web.
The web hosting service provides its users with encryption keys in order to grant administrative access to AWS services.
Despite being told to keep these secret keys safe and confidential, many users have - sometimes inadvertently, sometimes idiotically - posted the keys in plain text on code-sharing website Github, according to a report at Australian news website IT News.
If a hacker uses a key found in a Github file, they can get complete access to all data stored under that key at Github, which could then be manipulated or even destroyed. In addition, a hacker could "piggyback" an AWS account, running their own website over the same bandwidth and potentially costing the genuine account holder thousands of extra pounds per month.
AWS customers are told when they sign up that "anyone who has your access key has the same level of access to your AWS resources that you do. Consequently, we go to significant lengths to protect your access keys, and in keeping with our shared-responsibility model, you should as well".
However, the spirit of Github, which encourages collaboration between developers, means that not only is the information available, but is being actively scrutinised by people who potentially understand the value of the data, and therefore any unscrupulous users of the website might be faced with the gift of an encryption key.
Last November, Github announced a "scorched earth" policy against weak passwords, resetting those that it considered weak, while revoking any corresponding OAuth and SSH tokens. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted