Image and video clip leak through misconfigured S3 buckets
Typically for images or other asserts, some sort of Access Control List (ACL) will be in position. A common way of implementing ACL would be for assets such as profile pictures
The important thing would act as a вЂњpasswordвЂќ to get into the file, therefore the password would simply be offered users who require usage of the image. When it comes to a dating application, it is whoever the profile is presented to.
I’ve identified several misconfigured buckets that are s3 The League throughout the research. All images and videos are unintentionally made general general general general public, with metadata such as which user uploaded them so when. Typically the application would have the pictures through Cloudfront, a CDN on top regarding the buckets that are s3. Unfortunately the underlying S3 buckets are severely misconfigured.
Side note: in so far as i can inform, the profile UUID is arbitrarily created server-side as soon as the profile is established. In order that part is not likely to be really easy to imagine. The filename is controlled because of the customer; the host takes any filename. In your client app its hardcoded to upload.jpg .
Owner has since disabled general public ListObjects. Nevertheless, we nevertheless think there ought to be some randomness within the key. A timestamp cannot act as key.
IP doxing through website link previews
Link preview is something this is certainly difficult to get appropriate in great deal of messaging apps. You can find typically three techniques for website link previews:
The League utilizes link that is recipient-side. Whenever a note includes a web link to a outside image, the web link is fetched on userвЂ™s unit once the message is seen. This might effortlessly enable a harmful transmitter to submit an external image URL pointing to an attacker managed host, obtaining recipientвЂ™s internet protocol address once the message is exposed. Read more ›