By Matthew Dublin
You better pause your data uploads: researchers at the Ruhr-University Bochum announced today that they have identified some serious security gaps at Amazon Cloud Services.
The team was able to attack AWS clouds using XML signature wrapping and cross site scripting. There are several types of XML Signature Wrapping attacks which involve altering the signed message a web service client sends to the receiving web service. The attacker is able to change the content of the signed message without invalidating the signature which allowed the researchers to take over administrative control of a cloud, including creating new instances as well as adding or deleting virtual compute images.
Cross site scripting attacks also allowed them to get into the Amazon shop itself where they could access customer data, including authentication data and text passwords. This type of attack enables hackers to inject client-side script into web pages in order to bypass access controls.
Once the researchers completed their attacks, Amazon was notified about the security gaps and proceeded to shut them immediately.
"Based on our research results, Amazon confirmed the security gaps and closed them immediately...A major challenge for cloud providers is ensuring the absolute security of the data entrusted to them, which should only be accessible by the clients themselves," says Jörg Schwenk, who headed up the AWS attacks.
Schwenk is also quick to point out that private clouds, which are typically hosted at a site internally versus a public provider like AWS, are not safe from these types of attacks either. Eucalyptus, an open source project widely used to implement Cloud solutions within companies, did expose the same weaknesses. "A rough classification of cloud technologies cannot replace a thorough security investigation," he says.