Australia's governing football body Football Australia has reportedly inadvertently leaked secret AWS keys that potentially gave access to 127 buckets of data, including player contracts, ticket buyer's information, and more.
The leak was discovered by the Cybernews research team, which found Football Australia's website included plaintext copies of AWS secret keys, embedded right in the client-side HTML code, viewable to any browser and any website visitor.
It's an "own goal," the Cybernews team said.
The secret keys are credentials into AWS resources, where Football Australia stores data, and, in particular, the researchers found 127 storage buckets full of confidential information were directly available with nothing more required than the secret keys.
{loadposition david08}
These secret keys are something the AWS customer needs to keep private, inside their organisation; by embedding them within HTML the keys are publicly visible, and additionally, they are indexed by search engines and thus discoverable by those searching for them.
The researchers informed Football Australia before publishing their findings, and Football Australia has resolved the technical issues, preventing any further access or discoverability.
iTWire has independently confirmed the existence of the vulnerability. You can also; here's a snapshot of the Football Australia "football network" website from 5 Mar 2022 on the Internet Archive wayback machine. Open the page, right-click in your web browser, and select 'view source'. Search for 'aws' and you will find this code directly on the page within a section of client-side JavaScript:
<script> window.CognitoRegion = "ap-southeast-2"; window.AwsAccessKeyId = "AKIAJKZDWQKWONYEWSCA"; window.AwsSecretAccessKey = "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"; window.CognitoUserPoolId = "ap-southeast-2_3RiyW2G3K"; window.CognitoClientId = "664jksc64908e8mjjib1aqikca";
It's safe for iTWire to post this, as the credentials have been revoked, but it should serve as a sombre reminder and wake-up call to technology professionals worldwide to protect their credentials and secrets. It's most likely the developer responsible for this page intended their code to be server-side JavaScript, which is not sent to the browser.
It's also not an individual failure; the code would normally go through testing, QA, peer review, and other checks before being published, thus an entire development pipeline has missed the vulnerability.
According to the Cybernews research team, the exposed details included:
- Personal identifiable information of players, including contracts and passport details
- Ticket purchase information
- Internal infrastructure details
- Source code of the digital infrastructure
- Scripts of the digital infrastructure
“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” researchers claim.
Football Australia said to iTWire, "Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority. Football Australia takes the security of all its stakeholders seriously. We will keep our stakeholders updated as we establish more details.”
While Cybernews identified the vulnerability existed, it is important to note there is no information to suggest data has been taken by any malicious and unauthorised persons. However, at the same time, just as Cybernews found the vulnerability by searching for secret keys online, so too could any malicious actor. Given that iTWire can confirm the existence of the keys as far back as March 2022, almost 24 months ago, it's clear the secret was exposed for a significant time.
It's also not the first (and won't be the last) time that AWS credentials, or those of other cloud providers, have been released in plaintext. Other companies in the past have found themselves the victims of scam operations incurring tens of thousands of dollars of cost in AWS infrastructure by using their leaked keys. It's such a serious concern that the world's largest open-source software repository GitHub now provides automatic secret scanning to alert its users if they have stored a secret, such as an AWS key, in their code.
Horrifyingly, using even a simple search for code within a HTML page from nerdydata reveals right now at least 18 other websites that potentially have this vulnerability. And that took only a few seconds with a simple search term.
Cyber Security Forum Initiative (CSFI) senior fellow for Australia and New Zealand Caity Randall said, "In our increasingly digital world, it is imperative for organisations to prioritise cyber security and continuously refine our information and communication technology practices. By fostering industry collaboration and promoting shared knowledge and communication, we can collectively enhance our safety and security in the digital world that is our reality."
"This data leak highlights the critical need for organisations to recognise the value of the data they possess, the methods they employ to protect it, and the potentially devastating consequences of data breaches."