When uploading an XPI to Normandy's new Extension API, the resulting resource includes AWS credentials in the S3 URL for the XPI. This problem exists on Normandy's master branch, and at time of discovery has been deployed to dev and stage. Dev's credentials have been revealed (protected by VPN), but Stage's have not because no extensions have been uploaded.
correction, dev's credentials are not protected by VPN
I just double-checked and they credentials in the page are not the host credentials like I initially thought they were. They are the credentials for a generated s3 access url, and should only grant temporary access to that specific object.
PR 912 has been merged. All environments that this has affected have been updated. (Not that it was actually an issue to begin with).
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.