March 31, 2014

Critical Vulnerability: AWS Credential Disclosure

Critical Vulnerability: AWS Credential Disclosure

This is NOT an April Fools joke

Trustlook Security team has discovered a critical AWS credential leaking vulnerability on many mobile applications. Due to a bad security practice, some developers, including a few large vendors, have embedded AWS credentials into their mobile applications, which allows attackers to gain access of the Amazon cloud infrastructure.

In the initial scan on cached apps in Trustlook’s cloud platform, we have found more than 50 android applications, including some very popular ones, are impacted by this critical vulnerability. As our research team is still working with the vendors to fix this vulnerability, more detailed information will be published as soon as we ensured no one would be harmed.

As for the impact, attackers can almost do anything on behalf of the developer’s AWS account, including:

1) Start or shut down existing Amazon EC2 virtual machines
2) Add or delete existing Amazon S3 storage database
3) Add or modify Amazon SNS and SQS information
4) All other Amazon services

A victim’s true story: The attacker compromised his AWS account, opened some extra large instances to mine bitcoin.

We reasonably believe that some of the vendors’ backend data has already been leaked.

Some of the scanning results:

Cloud Storage App, 10M – 50M installations:

Screen Shot 2014-03-29 at 11.21.21 AM

Reading and Music app, 10M – 50M installations – Yes, they tried to hide the AccessKey pair in a library file and dynamically load it. But can still be reversed:

Screen Shot 2014-03-31 at 6.27.13 PM

Popular Social App that everyone knows, encoded the key, but can be easily decoded:

Screen Shot 2014-04-02 at 4.35.44 PM

A glance of the list:

Screen Shot 2014-04-01 at 4.24.06 PM


To developers: It’s always a bad idea to hardcode the AWS credentials into your app. Because anything you put into the code/resource could be easily reversed from compiled APK file. If you really need that functionality, the “Temporary Security Credentials” is a good alternative. (