Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users’ accounts and services at risk.
A week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.
Raj Bala printed a copy of the notice he received from Amazon pointing out that the app was not built in line with Amazon’s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.
“This exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application’s users,” Amazon told Baj.
Amazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.
Rich Mogull, founder of consultancy Securosis, said this is a big deal.
“Amazon is being proactive and scanning common sources of account credentials, and then notifying customers,” Mogull said. “They don’t have to do this, especially since it potentially reduces their income.”
Mogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire—his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.
Mogull wrote an extensive description of the incident on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.
Turns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.
Amazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.
“To help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,” iTnews quoted Amazon.
Said Mogull: “It isn’t often we see a service provider protecting their customers from error by extending security beyond the provider’s service itself. Very cool.”
