Viacom server leak exposes critical data
Wed 20 Sep 2017
An unsecured Amazon Web Services S3 server led to a data leak for Viacom, the world’s sixth-largest media company and owner of Paramount Pictures and television brands including MTV, Comedy Central, and Nickelodeon.
The leak, discovered by security researchers from UpGuard, included a master provisioning server that was left accessible to the public internet, containing credentials for building servers and the company’s secret cloud keys, which could have provided information to malicious actors that would allow them to access and control Viacom’s servers.
Chris Vickery of UpGuard, the same security researcher who discovered over 198 million voter records leaked this past summer by RNC analyst contractors, found an unsecured Amazon Web Services S3 cloud storage bucket that appeared to hold compressed backup files.
The cloud bucket contained passwords and manifests for Viacom’s servers. It also contained Viacom’s access key and the secret key to access the organization’s AWS account. These credentials could have compromised Viacom’s servers, data storage and databases as well as cloud instances in the company’s toolchain.
As Vickery said in his blog post describing the discovery, ‘Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket.’
A malicious actor who gained access to Viacom servers could not only control the access and data contained therein, warns UpGuard, but the data could have been used to execute phishing schemes, using confidential data to trick users into giving up personal details including banking or credit card information. Also, having the AWS secret access along with server configuration details could allow a hacker to create additional cloud servers which could then be used in a botnet attack.
This is the latest in a string of misconfigured S3 servers that have resulted in major data breaches. The RNC voter records that were leaked in June, the Dow Jones data leak discovered in July, and the Viacom leak discovered in August were all the result of misconfigured S3 servers. All three were initially discovered by Chris Vickery.
In August, Amazon launched Macie, a data security service used to monitor data access activity using machine learning. Macie looks for sensitive data and provides administrators with alerts for unauthorized access or inadvertent data leaks. Macie currently protects data stored in S3 servers, with support for additional Amazon products to be released by year-end.
Viacom was notified of the misconfigured server by Vickery upon discovery, and the issue was corrected within hours.