Playing With s3 — Leaks

Aswin Thambi Panikulangara
2 min readJul 29, 2021

Hi Everyone,

My name is Aswin Thambi Panikulangara(R0074G3N7). In this writeup, I will be sharing my technique of enumerating s3 buckets, finding misconfigurations, and recent bug i found in a public program(P1).

Tools : Subfinder, Ffuf, waybackurls

* is in scope. As usual, I started with subdomain enumeration, for subdomain enumeration I mostly use sublister.

subfinder -d > subdomains.txt

Now I used Ffuf for Fuzzing and enumerating s3 buckets.

ffuf -u -w subdomains.txt

After fuzzing got 5 buckets. Four of them were denied access and one was open.

Bucket was like :

So I need to confirm this bucket belongs to I used waybackurls this time.

cat subdomains.txt | waybackurls | grep s3.amazonaws

waybackurls disclosing s3 buckets.

After seeing this just tried to list the bucket.

aws s3 ls s3://

Bucket listed successfully!!!

It was leaking tons of private pictures of users where anyone can access it publically.

Again I tried to mv, cp files into the bucket but failed. So reported this directly to the company.

2021 july 29 reported.

2021 july 29 triaged as critical, fixed.

2021 july 30 listed in HOF page.

2021 july 30 rewarded with Swags.