A security researcher found yet another unsecured Amazon S3 bucket leading to more cloud data leakage due to user error.
The cloud data leakage of Dow Jones & Company customer data marked the latest in a line of Amazon Web Services (AWS) cloud data leakage incidents.
Dow Jones confirmed the AWS data leak included customer names, email addresses and some partial credit card numbers, but said no full credit cards or account credentials were part of the cloud data leakage. Dow Jones claimed issue affected 2.2 million customers, but security researchers estimated the number to be "closer to 4 million."
References: Dow Jones Data Leak: Over 2 Million Customers' Personal Details Exposed in Cloud Storage Error | Dow Jones Data Leak Results from Amazon AWS Configuration Error | Dow Jones Index – of Customers, Not Prices – Leaks from AWS Repo
A new vulnerability was discovered while researching an internet of things (IoT) security camera, but the research shows that a wide range of IoT devices has similar problems.
The vulnerability, dubbed Devil’s Ivy, is an open-source re-use problem. The flaw itself lies in gSOAP, which is maintained by Genivia. Genivia claims to have more than 1 million downloads, with IBM, Microsoft, Adobe and Xerox as customers.
The exploit allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to a collection of sensitive information or prevent a crime from being observed or recorded.
References: Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices | Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions | Devil's Ivy Bug Patched After Found in Toolkit Potentially Used by Millions of IoT Devices
*IP addresses provided by Recorded Future.
Want to learn about Alert Logic products in more detail? Call us direct at +1.877.484.8383, for the UK call +44 (0) 203 011 5533, or complete this form. An Alert Logic representative will contact you soon.