Why Storing Plaintext Passwords in a Private S3 Bucket it’s bad idea?

YevhSec1
Sep 25, 2023

--

Let’s imagine that you store usernames and passwords in cleartext in the S3 bucket. Let’s assume that access to the entire bucket is configured properly and the “Access Denied” error returned, as shown below.

However, with a certain request to Google, we see that the files in the S3 were indexed.

After opening the file we get so many accounts hijacking… (of course don’t forget about bypassing geolocation/trust device protections, etc)

Don’t store sensitive information in cleartext, especially the username & password combination :)

--

--

YevhSec1
YevhSec1

Written by YevhSec1

MSc in Cyber Security, OSCP, eWPTXv2, CEH Master. Awarded by Apple, Trello, Paysera..