Closed Bug 1608623 Opened 6 years ago Closed 6 years ago

Exposed S3 Buckets

Categories

(Websites :: Web Analytics, task, P2)

Product:
Websites
Component:
Web Analytics
Version:
Production
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: bibekshah000, Unassigned)

References

(
URL
)

Details

(4 keywords, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Hi i found one of your exposed s3 buckets with directory listing enabled which reveals many data of the mozilla.

s3 bucket: http://charts.mozilla.org.s3-us-west-2.amazonaws.com/

I hope you understand the issue.

Flags: sec-bounty?
Component: Other → Web Analytics
Priority: -- → P2
Version: unspecified → Production

Hi reporter, thanks for this. However I don't think this is an issue, i.e. it does not look like the listed items are sensitive.

Kyle, are you able to confirm that the contents of this s3 bucket are / should be public? Thanks.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(klahnakoski)
Keywords: sec-low, wsec-dir-index, wsec-disclosure

aws s3 ls s3://charts.mozilla.org --no-sign-request
PRE FreshOranges/
PRE JSON-Formatter/
PRE MoBuildbotTimings/
PRE NeglectedOranges/
PRE TopBugzillaDups/
PRE bugzilla/
PRE contributors/
PRE coverage-test/
PRE coverage/
PRE metrics/
PRE quantum/
PRE testfailures/
These are the contents in the S3 bucket. As it contain Directory Listing which is not good for the company to reveal its data to the public.So this is valid issue in my though

thought*

All these buckets are public, on Github.

Flags: needinfo?(klahnakoski)

Can you give me a link to it?

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.