Video and picture drip through misconfigured S3 buckets

Typically for images or any other asserts, some form of Access Control List (ACL) could be in position. For assets such as for instance profile photos, a standard method of applying ACL could be:

The important thing would act as a “password” to gain access to the file, together with password would simply be provided users whom need usage of the image. When it comes to a dating application, it’s going to be whoever the profile is presented to.

We have identified several misconfigured S3 buckets on The League throughout the research. All images and videos are unintentionally made general general general public, with metadata such as which user uploaded them so when. Generally the software would obtain the pictures through Cloudfront, a CDN on top associated with the buckets that are s3. Unfortunately the s3 that is underlying are severely misconfigured.

Side note: in so far as i can inform, the profile UUID is arbitrarily created server-side as soon as the profile is made. To make certain that part is not likely to be really easy to imagine. Continue reading →