

Researchers Uncover 'Massive Security Flaws' In Amazon Cloud - d0ne
http://www.crn.com/news/cloud/231901911/researchers-uncover-massive-security-flaws-in-amazon-cloud.htm

======
TimothyFitz
The researchers uncovered an XML Signature Wrapping attack, which requires the
attacker has access to the plaintext of a correctly authorized XML request
sent to Amazon. Given that every client I know of uses https for EC2 APIS,
this isn't what I would call a "Massive Security Flaw".

More details on XML Signature Wrapping here:
[http://clawslab.nds.rub.de/wiki/index.php/XML_Signature_Wrap...](http://clawslab.nds.rub.de/wiki/index.php/XML_Signature_Wrapping_-
_Simple_Context)

~~~
tptacek
You should read their actual paper, esp. section 3.1 (last graf) and 3.2
(first 2 grafs). You've oversimplified the problem; there is a variant of the
attack that doesn't require an XML signature, for instance.

------
maratd
Why is this a story if the flaws have already been fixed? I have no
expectations of perfection from Amazon, just responsiveness.

~~~
salem
At the very least it's a reminder to follow or exceed the security related
recommendations.

------
DiabloD3
For those looking to ditch Amazon over their mismanagement, try a real VPS
provider like RapidXen.

