mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

348K
active users

Terence Eden

A question for practitioners.

I've found an abandoned AWS bucket from a very large company. It serves all the images & fonts in their billing emails.

I defensively registered it to prevent an attacker from injecting malicious content into the emails I receive.

Then I emailed their security.txt contact to inform them and offering to transfer it back (for free, obviously).

Was that the right thing to do? Should I have waited for a response from them before securing the bucket?

A month later and the company finally got back to me - after I told them I was writing a blog post about the incident.

Happy to say that I deleted the S3 name and they have reclaimed it. All the images in their billing emails are now being served by them again.

Doubt I'll get a , but virtue is its own reward, eh?

@Edent @neil hey, I secured a microsoft one that they were pointing o365 admins to and I started serving people an .exe that was actually a text file containing copies of the emails I had sent to their security contact and they never even replied, so, you know, I think just holding the bucket in safe keeping to hand back or until they stop referring to it is extremely benign and reasonable

@interpipes

@neil
Errr... That might be going a bit far!

@Edent @neil Sure. On the other hand, they're a multi-billion dollar company which it sometimes feels like half the planet relies on. If they can't act more responsibly with their own systems then we're all in trouble and I have no problem throwing them under the bus in a way that doesn't actually expose anyone to harm.

@Edent Legally, on the face of it looks like a textbook case of negotiorum gestio (for those jurisdictions which have that, others use different concepts for it). So, yes, the right thing to do.

@Edent

Was having trouble parsing… by "abandoned" you mean "nonexistent". So presumably their billing emails look kind of broken?

@timbray yup. Their emails all have
img src=":// whatever.s3.amazonaws.com/..."

But they no longer have that bucket name. They either surrendered it, forgot to renew, or something.

And now they have broken emails.

@Edent There is no good answer to this, so based on your description I think you did the best you could do realistically. If it is my company then I say thanks :)