Hacker News new | past | comments | ask | show | jobs | submit login

“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.

(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)

The AWS spokesman quoted in the article also explicitly says it wasn't a vulnerability.

Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?

Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.

Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.

It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.

Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".

Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact