Amazon is at least partly blame for the massive 2019 Capital One breach that impacted more than 100 million customers, senators are alleging. Security researchers however are of two minds.
In a letter to the Federal Trade Commission (FTC) this week, U.S. senators Ron Wyden (D-Ore.) and Elizabeth Warren (D-Mass.) called for the investigation of Amazon’s role in the Capital One data breach, where a hacker accessed data that was hosted on servers on Amazon’s cloud-based computing platform, Amazon Web Services (AWS).
“Amazon knew, or should have known, that AWS was vulnerable to server-side request forgery [SSRF] attacks,” the senators wrote on Thursday. “Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”
SSRF is a type of server attack where servers can be tricked into connecting to another server it did not intend to. SSRF flaws occur when an online application requires outside resources enabling an attacker to send crafted requests from the back-end server of a vulnerable web application.
In the case of the 2019 breach, a misconfigured web application firewall, which was hosted on the AWS cloud platform, enabled a hacker to launch the SSRF attack and access credit applications, Social Security numbers and bank account numbers between March 19 and July 17. The illegally accessed data was primarily related to credit-card applications made between 2005 and early 2019, by both consumers and businesses. These include a raft of personal information, such as names, addresses and dates of birth; and financial information, including self-reported income and credit scores.
Because other Amazon competitors have built protections against SSRF into their products – including Google since 2013 and Microsoft since 2017 – part of the blame for the attack rests on AWS for not building in similar protections, said the senators: “The FTC has the authority and responsibility to investigate unfair and deceptive business practices. We urge you to investigate whether Amazon’s failure to secure its services against SSRF attacks constitutes an unfair business practice, which would violate Section 5 of the FTC Act,” they said.
The letter has split the security community between those who say that Capital One should bear more responsibility in securing its cloud configurations for platforms that host its customer data – and those who say that the onus rests on Amazon to build in more protections to its own product. Some security experts are dismissing the letter altogether, saying that it demonstrates a lack of understanding by politicians of how cloud services work.
“Amazon did not a rent a server to Capital One in the sense that this was a compromised managed server,” Chris Morales, head of security analytics at Vectra, told Threatpost. “There might be confusion and a lack of understanding on how to properly configure privileged access authentication tokens which is a feature of AWS. An analogy would be blaming an apartment complex owner if a tenant of that apartment complex was robbed. That is not something that is enforced today either.”
Security in the cloud is a shared responsibility, but it’s “squarely up to the enterprise” when it comes to determining who has privileges for impacting cloud infrastructure, Balaji Parimi, CEO at CloudKnox Security said in an email: “There are tens of thousands of configurations and privileges within AWS and other cloud platforms, and it only took one such overprovisioned role to lead to the Capital One breach,” he said.
Others, like Evan Johnson, manager of the product security team at Cloudflare, argue that major cloud players hold some level of responsibility in ensuring that their products protect against common attacks like SSRF. That could include bundling protections into AWS like requiring a special header for metadata service requests or requiring temporary credentials to be used in the correct virtual private cloud (VPC).
“The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it” Johnson said in an August post. “In my opinion, it’s clear that AWS’ product offering is not complete since this is a major and recurring problem amongst their biggest customers. AWS should do something about this because IAM [identity and access management] is the root of all security within AWS.”
AWS did not respond to a request for comment from Threatpost. However, Amazon said issued a media statement to CNBC:
“The letter’s claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained.”
The hack was one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017. The FBI arrested a suspect in the case: A former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub.
Capital One for its part in July said it had fixed what it called a “configuration vulnerability” and that it is “unlikely that the information was used for fraud or disseminated by this individual” — though investigations are ongoing.