A question for #infosec practitioners.
I've found an abandoned AWS bucket from a very large company. It serves all the images & fonts in their billing emails.
I defensively registered it to prevent an attacker from injecting malicious content into the emails I receive.
Then I emailed their security.txt contact to inform them and offering to transfer it back (for free, obviously).
Was that the right thing to do? Should I have waited for a response from them before securing the bucket?
A month later and the company finally got back to me - after I told them I was writing a blog post about the incident.
Happy to say that I deleted the S3 name and they have reclaimed it. All the images in their billing emails are now being served by them again.
Doubt I'll get a #BugBounty, but virtue is its own reward, eh?
@Edent @neil hey, I secured a microsoft one that they were pointing o365 admins to and I started serving people an .exe that was actually a text file containing copies of the emails I had sent to their security contact and they never even replied, so, you know, I think just holding the bucket in safe keeping to hand back or until they stop referring to it is extremely benign and reasonable
@neil
Errr... That might be going a bit far!
@Edent @neil Sure. On the other hand, they're a multi-billion dollar company which it sometimes feels like half the planet relies on. If they can't act more responsibly with their own systems then we're all in trouble and I have no problem throwing them under the bus in a way that doesn't actually expose anyone to harm.
@Edent Legally, on the face of it looks like a textbook case of negotiorum gestio (for those jurisdictions which have that, others use different concepts for it). So, yes, the right thing to do.
Was having trouble parsing… by "abandoned" you mean "nonexistent". So presumably their billing emails look kind of broken?
@timbray yup. Their emails all have
img src=":// whatever.s3.amazonaws.com/..."
But they no longer have that bucket name. They either surrendered it, forgot to renew, or something.
And now they have broken emails.
@Edent There is no good answer to this, so based on your description I think you did the best you could do realistically. If it is my company then I say thanks :)