
AWS error exposed GoDaddy business secrets - sahin-boydas
https://www.zdnet.com/article/aws-error-exposed-godaddy-server-secrets/?ref
======
haney

      "The bucket in question was created by an AWS salesperson 
       to store prospective AWS pricing scenarios while working 
       with a customer," an AWS spokesperson told Engadget.
    

It's bad when even AWS employees misconfigure security on buckets...

~~~
stefan_
I guess it's really bad when sales has to store sales material in self-
configured buckets. That feels like about three layers too low.

~~~
haney

       That feels like about three layers too low.
    

Pretty much my entire feeling on AWS's UX every time I want to do something
simple

------
supermdguy
Can the link be changed to [https://www.upguard.com/breaches/public-domain-
how-configura...](https://www.upguard.com/breaches/public-domain-how-
configuration-information-for-the-worlds-largest-domain-name-registrar-was-
exposed-online)? The original link is essentially blogspam.

------
tptacek
10-15 years ago, if you asked me what would get your SAAS shop owned up, I'd
have said an overlooked SQL injection vulnerability.

5-10 years ago, I'd have said credential stuffing in your accidentally-exposed
admin app.

Today, without question: it's AWS misconfiguration or credential leaking.

~~~
closeparen
If the admin app were not exposed, wouldn’t credential stuffing work just as
well on the VPN interface?

~~~
tptacek
No, because the people whose credentials tend to get stuffed in these examples
tend not to be the people who use the VPN. Like, it happens, but "tier 2
support" is the victim I'm usually thinking about here.

------
Rapzid
"After all, without trade secrets and IP, a business has nothing to stand out
from the crowd."

I'm not sure if that's meant to be sarcastic or serious.

~~~
eeeeeeeeeeeee
I thought that was a bizarre statement too. There are plenty of businesses
that are successful without unique IP. GoDaddy is probably one of the best
examples of that -- it's web hosting and domains, it's mostly a commodity at
this point. Domain registration is absolutely a commodity.

I also question how bad it really would have been if the entirety of the
information was leaked to the public. This is more embarrassing for AWS than
GoDaddy.

~~~
meowface
Yeah, this is a rare case where the company can actually 100% blame the
vendor. It's usually a case of a company not properly following the vendor's
documentation or otherwise misconfiguring something.

~~~
Rapzid
The article is a bit sensationalist from the title through to most of the
"what ifs" and speculations in the body.

Hidden right at the end Godaddy even downplays the sensitivity of the
information that was available.

------
campbellmorgan
>"After all, without trade secrets and IP, a business has nothing to stand out
from the crowd."

Except that GoDaddy has a massive, massive brand with millions invested in
marketing over years of business. Its success is hardly down to trade secrets
or juicy AWS discounts...

------
edoceo
Title should read "AWS bucket configuration error by Amazon employee...".

Title makes it seem like AWS system flaw, it's not.

~~~
freeone3000
AWS, as a system, allowed this. AWS, its employees, made such a mistake.
Pretending processes somehow don't involve people blindsides us to obvious
problems in real implementations.

Possible lessons: Why is it so easy/tempting/overlookable to misconfigure a
bucket that an AWS employee could do it? What lessons can we learn from, for
instance, Google Apps, where you don't usually misconfigure your file share?
Upguard's conclusions are what you should be taking away, not "AWS buckets are
fine from a tech standpoint".

~~~
Terretta
The Internet as a system allowed this deliberately public configuration, so
the Internet is at fault.

The World Wide Web as a system allowed this deliberately public configuration,
so the web is at fault.

AWS S3 as a system allowed this deliberately public configuration. So AWS S3
is at fault.

None of those seem quite right.

To me, seems more like AWS S3 isn’t designed for the higher level use case of
sending a “shared secret” folder link by email to a collaborator, combined
with a drinking the kool-aid tic where all employees try solving all use cases
with the in-house hammer at hand.

At the same time, I think AWS _has_ made a mistake — putting a Web Console on
top of an API driven infrastructure, and investing so much recently in trying
to make the web UI more “usable”.

AWS is not your father’s webmin VPS, but by now the console is so friendly,
today’s sales guy can be forgiven for thinking S3 config and Dropbox config
are the same thing.

~~~
user5994461
Looks like a case for FTP. Does AWS provides FTP hosting? I think not.

------
politelemon
_human_ error exposed GoDaddy business secrets. AWS did exactly what it was
told to do.

~~~
haney
Except an AWS employee configured it, granted that employee was human, but was
a member of the blamed organization.

------
late2part
Is there a public link to the disclosed details of the information?

------
praveenscience
Dupe:
[https://news.ycombinator.com/item?id=17741281](https://news.ycombinator.com/item?id=17741281)

~~~
dijit
This post has more points. Additionally the other post has no comments.

~~~
perl4ever
Since the comment you're responding to is the oldest one, it would seem this
thread had no comments yet either.

------
cannonedhamster
Without attempting to make a joke, wouldn't a better place to store a doc like
this be and of the following: Google Docs, O365, Dropbox, Box.com, Zoho, or
basically ANY syste designed for file sharing with specific external
customers? AWS isn't really meant to function on it's own as a file sharing
service, though there are services that could have been made on AWS for this
purpose.

