The Inquirer-Home

Users inadvertently post Amazon Web Services keys on Github

Administrator access hidden in plain sight
Mon Mar 24 2014, 16:47
amazon webservices reception

UNWITTING USERS of Amazon Web Services (AWS) are facing unexpected bills as a result of posting sensitive security credentials in plain sight on the web.

The web hosting service provides its users with encryption keys in order to grant administrative access to AWS services.

Despite being told to keep these secret keys safe and confidential, many users have - sometimes inadvertently, sometimes idiotically - posted the keys in plain text on code-sharing website Github, according to a report at Australian news website IT News.

If a hacker uses a key found in a Github file, they can get complete access to all data stored under that key at Github, which could then be manipulated or even destroyed. In addition, a hacker could "piggyback" an AWS account, running their own website over the same bandwidth and potentially costing the genuine account holder thousands of extra pounds per month.

AWS customers are told when they sign up that "anyone who has your access key has the same level of access to your AWS resources that you do. Consequently, we go to significant lengths to protect your access keys, and in keeping with our shared-responsibility model, you should as well".

However, the spirit of Github, which encourages collaboration between developers, means that not only is the information available, but is being actively scrutinised by people who potentially understand the value of the data, and therefore any unscrupulous users of the website might be faced with the gift of an encryption key.

Last November, Github announced a "scorched earth" policy against weak passwords, resetting those that it considered weak, while revoking any corresponding OAuth and SSH tokens. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Internet of Things at Christmas poll

Which smart device are you hoping Santa brings?