Legal Robot: S3 ACL misconfiguration

ID H1:189023
Type hackerone
Reporter baseballislife
Modified 2017-08-29T03:19:52



Legal Robot's s3 bucket [] is misconfigured. The ACL allows me to access and copy all files. This means that I could go through and copy all the media files on the s3 bucket. I did not attempt to delete any files as I did not want to go too far and affect your operations.

Steps to Reproduce:

1) Generate a random AWS key from the AWS Console 2) Perform the following proof-of-concept: ``` $ aws s3 ls s3://legalrobot PRE email/ PRE video/ 2015-12-28 21:39:20 536901 Dan-sq-gray.jpg 2015-12-28 21:39:21 546125 Dan-sq.jpg 2015-10-06 21:35:54 363060 Gizmo-Foldable.pdf 2016-02-26 12:37:45 22945 Megan.jpg 2015-12-08 01:58:52 420926 logo_huge.png 2015-12-08 01:59:04 14714 logo_text_huge.png

copy: aws s3 cp s3://legalrobot/video/meeting-room/MP4/Meeting-Room.mp4 ``` I've noticed that this particular video file is being played in the background of your homepage.


Update your ACL to the proper configuration, preventing other users' from potentially modifying or accessing your s3 bucket.