Hacker News new | past | comments | ask | show | jobs | submit login

I know that reading the actual linked content on HN is verboten, but the Bloomberg story says

"Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said."




“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.

(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)


The AWS spokesman quoted in the article also explicitly says it wasn't a vulnerability.


Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?

Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.


Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.


It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.

Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".

Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.


The parts about Amazon was added later after the article was originally published. Maybe they read HN and found her Gitlab account like was posted below before this was published. Most of those news sites back referral link lists.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: