NewsBytes
    Hindi Tamil Telugu
    More
    In the news
    Narendra Modi
    Amit Shah
    Box Office Collection
    Bharatiya Janata Party (BJP)
    OTT releases
    Hindi Tamil Telugu
    NewsBytes
    User Placeholder

    Hi,

    Logout

    India
    Business
    World
    Politics
    Sports
    Technology
    Entertainment
    Auto
    Lifestyle
    Inspirational
    Career
    Bengaluru
    Delhi
    Mumbai

    Download Android App

    Follow us on
    • Facebook
    • Twitter
    • Linkedin
    Home / News / Technology News / Critical AWS flaw exposes thousands of web apps to attack
    Summarize
    Next Article
    Critical AWS flaw exposes thousands of web apps to attack
    AWS Application Load Balancer vulnerability discovered

    Critical AWS flaw exposes thousands of web apps to attack

    By Mudit Dube
    Aug 21, 2024
    02:48 pm

    What's the story

    A recently discovered vulnerability in Amazon Web Services's (AWS) Application Load Balancer, a traffic-routing service, could potentially expose thousands of web applications to security risks.

    The flaw is not due to a software bug but rather an issue with customer implementation.

    This means that the risk arises from how AWS users configure authentication with the Application Load Balancer, as revealed by cybersecurity firm Miggo.

    Exploitation process

    How the vulnerability works

    The vulnerability could allow an attacker to manipulate the handoff of the Application Load Balancer to a third-party corporate authentication service, thereby gaining unauthorized access to web applications and potentially viewing or extracting data.

    To exploit this flaw, an attacker would need to create an AWS account and an Application Load Balancer.

    They would then sign their own authentication token before making configuration changes that make it appear as if their target's authentication service issued the token.

    Impact assessment

    Over 15,000 web apps potentially at risk

    Miggo's research indicates that over 15,000 publicly accessible web applications may have vulnerable configurations due to this flaw.

    However, AWS disputes these figures, stating that "a small fraction of a percent of AWS customers have applications potentially misconfigured in this way," which is significantly less than Miggo's estimate.

    The exact number remains uncertain as AWS does not have access or visibility into its clients' cloud environments.

    Mitigation measures

    AWS's response and recommendations

    In response to the vulnerability disclosure, AWS has contacted customers on to suggest a more secure implementation.

    The company does not view token forging as a vulnerability in Application Load Balancer, but rather an expected outcome of choosing to configure authentication in a particular way.

    However, after Miggo disclosed their findings, AWS made two documentation changes aimed at updating their implementation recommendations for Application Load Balancer authentication.

    Security updates

    AWS's updated guidance for secure implementation

    The first update from AWS, dated May 1, included guidance to add validation before Application Load Balancer will sign tokens.

    On July 19, the company also added an explicit recommendation that users set their systems to receive traffic from only their own Application Load Balancer using a feature called "security groups."

    These changes effectively address the attack path proposed by Miggo researchers but require AWS users with vulnerable configurations to implement them.

    User responsibility

    AWS's shared responsibility model

    The fixes proposed by AWS are not like a software patch that a developer can push out to all users.

    Instead, they involve changing how AWS customers have set up their own systems.

    This falls under the Shared Responsibility Model, where such situations often sit in the gray area between what a cloud platform provider should address for its customers and what users need to manage themselves.

    Facebook
    Whatsapp
    Twitter
    Linkedin
    Related News
    Latest
    Cybersecurity
    Amazon Web Services

    Latest

    Google I/O starts today—How to watch and what to expect Google
    Are Aamir and Rajamouli both making Phalke biopics?  Aamir Khan
    Why was Usher named during Diddy's abuse trial? Hollywood
    WHO members approve treaty to improve pandemic preparedness  COVID-19

    Cybersecurity

    Ethical hacker exposes the dark web's unknown realities Dark Web
    AT&T data breach: Phone records of 'nearly all' customers stolen Cybercrimes
    Worried about cybercrimes? Follow these tips to stay safe Data privacy
    Is your online account hacked? Here's how to tell Cryptocurrency

    Amazon Web Services

    Succumbing to cloud rivals, Rackspace goes private in an acquisition United States of America
    Amazon posts third-quarter earnings; misses estimates Amazon
    Database can help Mumbaiites to watch out for sex-offenders Mumbai
    Microsoft mulls on investing $100 million in Ola's parent firm India
    Indian Premier League (IPL) Celebrity Hollywood Bollywood UEFA Champions League Tennis Football Smartphones Cryptocurrency Upcoming Movies Premier League Cricket News Latest automobiles Latest Cars Upcoming Cars Latest Bikes Upcoming Tablets
    About Us Privacy Policy Terms & Conditions Contact Us Ethical Conduct Grievance Redressal News News Archive Topics Archive Download DevBytes Find Cricket Statistics
    Follow us on
    Facebook Twitter Linkedin
    All rights reserved © NewsBytes 2025