Another unsecured storage bucket has exposed sensitive data
Another unsecured storage bucket has been discovered by the UpGuard Cyber Risk Team that exposed 50.4 gigabytes of sensitive data from Capital One. The discovery was made on January 15th, 2018 at the “capitalone-appliance” subdomain and was configured to allow public access.
Thankfully customer data wasn’t exposed, but there was technical data about a Birst appliance that was being used in Capital One’s information system. The data contained administrator credentials and private keys for use in Capital One’s information systems by on-premise Birst hardware for their cloud environment.
Birst appliances are designed to prevent this kind of information leak by residing solely inside of the customer’s network, in this case, Capital One, and cut-off from the internet so public access isn’t possible. Someone copied the data that was supposed to be stored only in Birsts on-premise solution to an Amazon Web Services S3 storage bucket and caused the exact leak that the Birst hardware is used to prevent.
The data leak is extensive enough that an attacker could have a map on how to compromise Captial One’s information system Birst appliance. Going a step further, an attacker could pivot from the Birst appliance and gain access to a large portion of the remainder of Capital One’s IT environment.
The storage bucket contained three folders, and according to UpGuards article, “Browsing the contents of the “528” folder, the access to which was last modified on November 2017, there is a sizable amount of sensitive information – starting with administrative credentials, passwords, and keys for use within the cloud environment in Capital One’s backend. In a subfolder titled “D_Drive” are configurations critical to the cloud appliance, as well as IP addresses and ports used for communication within that environment.
A number of exposed files concern internal access. A file titled Client.key, an encryption key likely used for decrypting data if removed from the appliance, is stored alongside the same encrypted appliance – defeating any tangible benefits of such a protection as if a lock and its key were stored together. Also revealed in the bucket are the username and hashed password used for administering appliance databases.”