Viacom, the media conglomerate that owns Paramount, Comedy Central, MTV, and hundreds of other properties, has had a giant security flaw exposed by a security firm. The good news is that hackers don’t appear to have taken advantage of the weakness; the bad news is that credentials and configuration files for the backend of dozens of media properties was up for grabs on a vulnerable server.
According to UpGuard, the security firm that exposed the breach, a researcher found compressed backup files sitting on a publicly accessible Amazon Web Services storage bucket. The files contained details on Viacom’s Multiplatform Compute Services, the infrastructure behind hundreds of Viacom’s online properties. If that data had been found by someone with worse intentions, the consequences could have been catastrophic.
An UpGuard blog post details how the vulnerability was easily found:
On August 30th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered a publicly downloadable Amazon Web Services S3 cloud storage bucket, located at the subdomain “mcs-puppet” and containing seventy-two .tgz files. Vickery noted that each of the .tgz files, an extension often used for compressing backup data, had been created since June 2017 at irregular intervals; on some days, no such files had been created, while on others, five or six had been generated throughout the day.
It gets worse:
Exposed within this repository are not only passwords and manifests for Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but perhaps more significantly, Viacom’s access key and secret key for the corporation’s AWS account. By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised. Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner.
Vickery contacted Viacom executives privately, shortly after discovering the breach, and the server was secured shortly afterwards. It’s a timely — and worrying! — reminder that data breaches don’t have to contain millions of personal files to be damaging; a gigabyte of passwords and config files can be just as bad as hundreds of millions of SSNs.