Frankly, I think this is a stupid S3 bug. They should enforce bucket names are keyed by some sort of unique customer ID for all new buckets and this will be solved eventually (for a long value of “eventually”, I admit)
How does one register “abandoned Amazon S3 buckets for about $400”? I assumed bucket names were not-recyclable like Gmail addresses.
If AWS will let me get a previously registered S3 bucket, do I also buy the contents of it? That can’t possibly be true, but it seems to be what is implied.
How is S3 used in the software supply chain? Is it common to have employees do pip install s3://company_bucket/pandas.whl or something?
How does one register “abandoned Amazon S3 buckets for about $400”? I assumed bucket names were not-recyclable like Gmail addresses.
As far as I know bucket names are recyclable. If you delete a bucket anyone else can recreate a bucket with that name.
If AWS will let me get a previously registered S3 bucket, do I also buy the contents of it? That can’t possibly be true, but it seems to be what is implied.
No, I think the buckets are “abandoned” in that they are deleted and anyone can just create a new one in its place.
How is S3 used in the software supply chain? Is it common to have employees do pip install s3://company_bucket/pandas.whl or something?
Yeah, I think something along those lines, or grabbing docker images from there, CDN related stuff, etc.
The link @mediremi provides explains it better, but briefly:
I guess they are recyclable!
You don’t get the contents, just the name. But the attack works because third parties provide paths to content in S3 buckets. So if some webpage link downloads s3://foo/bar.sh and I buy foo, I can put up my own bar.sh and the webpage will download that.
Apparently so! You also got src tags pulling javascript from S3, build processes pulling binaries, even government pages saying “download this .exe from this s3 bucket”.
Yeah, the key here is that a LOT of places aren’t using s3://whatever, but an actual URL (http://whatever.s3.amazonaws.com/download.exe). You can trivially scrape, for example, GitHub for any URLs that include S3, then make a request to each of those to see which fail. Then you sort based on number of stars and you’d have a good prioritized list of where to spend money. It is no different from watching for domains names that expire.
S3 doesn’t speak the protocol of most language package managers, but is a cheap object store which doesn’t rack up gigantic bandwidth bills, so putting built artifacts into S3 and directing people to download them is, yes, a very common thing.
Link to the original research Schneier is referencing: https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
Recently on Lobsters: https://lobste.rs/s/sinfhk/supply_chain_security_danger_abandoned
Frankly, I think this is a stupid S3 bug. They should enforce bucket names are keyed by some sort of unique customer ID for all new buckets and this will be solved eventually (for a long value of “eventually”, I admit)
I am missing several things:
pip install s3://company_bucket/pandas.whlor something?As far as I know bucket names are recyclable. If you delete a bucket anyone else can recreate a bucket with that name.
No, I think the buckets are “abandoned” in that they are deleted and anyone can just create a new one in its place.
Yeah, I think something along those lines, or grabbing docker images from there, CDN related stuff, etc.
The link @mediremi provides explains it better, but briefly:
s3://foo/bar.shand I buyfoo, I can put up my ownbar.shand the webpage will download that.srctags pulling javascript from S3, build processes pulling binaries, even government pages saying “download this .exe from this s3 bucket”.Yeah, the key here is that a LOT of places aren’t using s3://whatever, but an actual URL (http://whatever.s3.amazonaws.com/download.exe). You can trivially scrape, for example, GitHub for any URLs that include S3, then make a request to each of those to see which fail. Then you sort based on number of stars and you’d have a good prioritized list of where to spend money. It is no different from watching for domains names that expire.
S3 doesn’t speak the protocol of most language package managers, but is a cheap object store which doesn’t rack up gigantic bandwidth bills, so putting built artifacts into S3 and directing people to download them is, yes, a very common thing.