Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To note in some of the earlier screenshots you can see they have the EC2 Instances menu open in their tabs - that's a bit concerning, why does a support engineer need AWS EC2 access?


If it's just a tab heading, we don't know if they have access or not. You can always open that page as long as you can log in. But it may show "you don't have permissions to display the instances". If you're thinking instead "why does a support engineer need AWS access" - cloudwatch metrics/logs come to mind.


The LAPSUS$ post suggests that they queried the AWS keys out of Slack. So the support engineers just have access to Slack, and Okta engineers were dumb enough to put those keys in Slack.


I'm incredulous an auth focused company would do this without someone freaking out? Even my much smaller SaaS companies would react quickly to stop and rotate these if this happened.


The things that go on at small SaaS companies would horrify many. One SaaS company I worked for had a "god-mode" password hard coded into the source code. It was visible in plain text in the source, and you could login as any customer if you knew this master password. Of course, this was not logged anywhere. When employees left, they'd change the password and deploy a new build.


looking closely at that I'm suspicious that lapsus$ is playing up what were perhaps trivial or ephemeral keys that were non-sensitive ... eg: test / dev / debug instances etc.

The reason I think that is because if they really had keys for production machines it seems very unlikely they wouldn't have used them to produce some more damaging collateral than they've presented.


DPL scanners in Slack, anyone? Figured Okta would definitely have those.

We get alerts when folks are sharing tutorial code with fake keys like DEADBEEF in them. It's nice to know DPL works, if you use it.


Frequently, support teams have lab environments. Hopefully, it'd be an account per engineer, but at least isolated from production. If software engineers access these for reviewing issues which made their ways to bugs, then potentially this is a vector that organizations should be concerned about. Attackers will be happy to make 20+ pivots, so even an isolated AWS account for a support engineer is a nice base.


Can you open the web console with just an access key? My impression was you could only use that to act through a CLI tool, at least officially you need to have powers or act as a user with powers to use the web console directly?


You can add users with console access from the IAM API if you have enough reach.


Not using access keys- although using the cli you could create a user which does have the ability to login to the portal.


Untrue, any valid access key pair set can call “GetSignInToken” and access the aws console.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: