Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Senators Urge AWS Investigation After Capital One Breach

Two Democratic Party senators have demanded an investigation into whether Amazon Web Services (AWS) broke the law by failing to secure infrastructure which was compromised in the Capital One breach.

Former AWS software engineer Paige Thompson has been accused by prosecutors of the attack on the US bank and 30 other organizations. It’s said to have affected around 100 million US and Canadian customers and applicants of the financial institution, including consumers and small businesses.

Reports have hitherto focused on a misconfigured web application firewall (WAF) hosted by the bank in the AWS cloud as the main factor in the attack.

Specifically, Thompson is thought to have exploited this to conduct a Server Side Request Forgery (SSRF) attack, tricking the WAF into running non-permitted commands which allowed her to talk to the AWS “metadata” service, in order to grab key credentials.

However, following the incident, security experts argued that AWS should be doing more to implement mitigations to help prevent SSRF attacks on its platform.

“The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it,” said Cloudflare’s Evan Johnson.

Now senators Ron Wyden and Elizabeth Warren have penned an open letter to the FTC, asking it to investigate if “Amazon’s failure to secure the servers it rented to Capital One may have violated federal law.”

It noted that while Google and Microsoft have both taken steps to protect customers from SSRF attacks, “Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public.”

AWS is likely to rebuff the claim, however, as it has argued in the past that, had Capital One not misconfigured its WAF, the SSRF attack would not have been possible.

In fact, SSRF is just one of several techniques that could have been used to gain access to the bank’s data, it has claimed.

What’s Hot on Infosecurity Magazine?