Researchers Uncover 'Massive Security Flaws' In Amazon Cloud [28Oct11] - 0 views
-
Amazon's cloud services are vulnerable to attack via a "massive security gap" that enables hackers to access user accounts and data, a team of German researchers has revealed.
-
Security researchers from Ruhr-University Bochum (RUB) found that Amazon (NSDQ:AMZN) Web Services was vulnerable to different methods of attack, including signature wrapping and cross site scripting, Those Security holes have since been closed.
-
But similar security holes may still be open in other cloud infrastructure offerings, the RUB team found.
- ...7 more annotations...
-
"Using different kinds of XML signature wrapping attacks, we succeeded in completely taking over the administrative rights of cloud customers," said RUB researcher Juraj Somorovsky in a statement. "This allowed us to create new instances in the victim's cloud, add or delete images."
-
The researchers suggested that many cloud offerings are vulnerable to signature wrapping attacks, due to a deviation between performance and security when dealing with Web services.
-
Along with cross scripting attacks, the researchers uncovered gaps in the AWS interface and in the Amazon online story through which executable script code could be smuggled, or open to cross-site scripting attacks. Through the attack, the RUB security team was able to access customer data.
-
"We had free access to all customer data, including authentication data, tokens, and even plain text passwords," said RUB researcher Mario Heiderich. "It's a chain reaction. A security gap in the complex Amazon shop always also directly causes a gap in the Amazon cloud."
-
Along with Amazon's public cloud offerings, the RUB security crew also found single wrapping attack and cross site scripting vulnerabilities in private cloud services, including open-source cloud play Eucalyptus Systems. Eucalyptus also immediately closed the security gap when notified by RUB researchers.
-
"A major challenge for cloud providers is ensuring the absolute security of the data entrusted to them, which should only be accessible by the clients themselves," said Prof. Dr. Jorg Schwenk.
-
Somorovsky added: "Therefore it is essential that we recognize the security gaps in cloud computing and avoid them on a permanent basis.