Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

During an interview, the author of the post once got the question: "What is the most common security vulnerability?" To Lenin's surprise, it was system misconfiguration.

With people flocking from Twitter to Mastodon, the author of the post decided to take a look at the security of the infosec Mastodon. While on it, they were curious how the user content was stored. The content appeared to be an AWS S3 XML response. On top of this, it was from minio (Multi-Cloud Object Storage).

The hacker made some observations:

• User content is uploaded to minio buckets.
• If this is coming directly from a browser request then there must be anonymous read access on the resources.

Using the minio client, which is similar to S3, they were able to list the contents of the Mastodon S3 bucket. Additionally, there were other folders in this bucket that were NOT meant to be public.

If we can read, can we write? The author attempted to upload something and it worked! They made a tiny modification to the Infosec Mastodon logo just to prove a point. What's the security issue? The S3 bucket policy allows for s3:*. They noticed this problem on other Mastodon servers as well.

Overall, a great commentary on the most common security vulnerability of them all - misconfigurations.