Supply Chain Vuln Compromised Core AWS GitHub Repos & Threatened the AWS Console(www.wiz.io)
70 pointsby uvuv6 hours ago5 comments
  • chuckadams4 hours ago
    Breaking this down, several of AWS's core repos like the JS SDK use an allowlist of which contributor ids can run workflow actions in their PRs. The list was a regex, contained several short ids, and wasn't anchored with ^$, so if it allowed user 12345, then any userid containing 12345 could run their own actions on the PR, including one that exfiltrated access tokens. So they spammed GH with user creation requests, got an id that matched, and they were in like Flynn.

    Said tokens didn't have admin access, but had enough privileges to invite other users to become full admins. Not sure if they were rotated, but github tokens are usually long-lived, like up to a year. Hey, isn't AWS the one always lecturing us to use temporary credentials? To be fair, AWS did more than just fix the regex, they introduced an "approve workflow run" UI unto the PR process that I think GH is also using now (not sure about that).

    • bflesch3 hours ago
      At least the vuln was old enough so that they couldn't blame AI for it, otherwise the article would read different ;)
    • TacticalCoder2 hours ago
      > The list was a regex ...

      Regexpes for security allow lists: what could possibly every go wrong uh!?

    • cyberax3 hours ago
      > Said tokens didn't have admin access, but had enough privileges to invite other users to become full admins.

      Ah... Github permissions. What fun.

      Github actually has a way to federate with AWS for short-lived credentials, but then it screws everything up by completely half-assing the ghcr.io implementation. It's only available using the old deprecated classic access tokens.

    • whatever1an hour ago
      Another success story for Regexes! Let's keep using this cryptic mess!
      • pxc27 minutes ago
        I met regexes when I was 13, I think. I spent a little time reading the Java API docs on the language's regex implementation and played with a couple of regex testing websites during an introductory programming class at that age. I've used them for the rest of my life without any difficulty. Strict (formal) regexes are extremely simple, and even when using crazy implementations that allow all kinds of backreferences and conditionals, 99.999% of regexes in the wild are extremely simple as well. And that's true in the example from TFA! There's nothing tricky or cryptic about this regex.

        That said, what this regex wanted to be was obviously just a list. AWS should offer simpler abstractions (like lists) where they make sense.

  • themafia37 minutes ago
    I always wondered if their decision to limit availability of CodeCommit had something to do with the overall quality of the underlying implementation. It always came off as an "also ran" product without any real care or effort put into it. Either that or the team responsible for creating it ultimately left the company.. anyways..

    This article lends some credibility to that notion.

  • mikesurowiec2 hours ago
    I worked on docs at GitHub which are open source, synced to an internal repo, and deployed on internal infra. I recall jumping through many hoops to make it work safely. These were workflows that had secrets access for deployments, and I recall zipping files, doing some weird handoffs/file filtering between different workflows based on the triggers and permissions. Security folks were really quick to find any gaps =)

    Glad to see a few more security knobs on actions these days!

  • McAdam3 hours ago
    happens to the best of us
  • teeklp3 hours ago
    Oh no, is the AWS Console ok?