• Ephera
    link
    11 year ago

    Hmm, I don’t know AWS. Does this mean, this key only had access to that particular Bucket? Or would an attacker have access to any Bucket in InfoSys’ AWS?

    • Arthur BesseA
      link
      21 year ago

      It had access to a lot more than just S3 buckets 😱

      AWS docs say AdministratorAccess means "This user has full access and can delegate permissions to every service and resource in AWS. Presumably a company the size of InfoSys has other AWS accounts too though; who knows which or how many projects this one is actually used for. It’s perhaps worth noting the other permission it apparently had: access to the Amazon Redshift data warehousing product.

      I’m trusting that the access key has really been revoked now, so it should be safe to say this:

      Github won’t show the diff of the PR, probably because the InfoSys person deleted their account, but anyone who is curious can see the file they were trying to delete here: https://github.com/orf/pypi-data/blob/main/release_data/i/h/ihip.json … which in turn has the URL for the source package on files.pythonhosted.org, which is also still available right now due to the joy of CDNs (despite that the package metadata has been deleted from PyPI now so it is no longer searchable there). So, if anyone wants to see the ihip source code they still can.

      Kudos to the pypi-data maintainer for their responsible handling of this. I think making the decision to nuke the leaked token themself was the right thing to do, and I really hope they don’t face legal persecution for it!

      Everyone should assume that any AWS credentials accidentally published to a place like pypi will be exploited, even if they are only there for a short time (much less a year!) because there are definitely people with automated systems looking for things like this for purposes other than responsible disclosure.

      And yet, somehow I think it’s probably reasonable to assume that InfoSys will not be notifying the patients who’s data is in Johns_Hopkins_Hospital/Input/Excel/Covid_patientdetails/covid_patient_details.xlsx and the presumably many other similar files there, and they also probably will not be doing any kind of massive audit of everything else that god mode on that AWS account could read and write.

      Everything is terrible 😢