Unsecured AWS bucket 'left Viacom open to hackers'

(Image credit: Big Stock)

published 22 September 2017

UpGuard has revealed a security hole in a Viacom server that it claims could have potentially allowed hackers to take control of the media giant's entire cloud infrastructure.

The company behind Paramount Pictures, MTV, Comedy Central and Nickelodeon was exposing a master provisioning server running Puppet to the general public, plus the credentials needed to build and maintain the majority of its infrastructure, according to UpGuard.

Even its secret cloud keys were possible to steal and use, allowing hackers to break into the company's entire cloud-based server network, launching a large-scale cyber attack. The data could be used for phishing, for example using the company's name to carry out malicious attacks or hackers could spin off additional servers to use Viacom's servers as a botnet.

"This cloud leak exposed the master controls of the world's sixth-largest media corporation, potentially enabling the takeover of Viacom's internal IT infrastructure and internet presence by any malicious actors," Upguard's Dan O'Sullivan wrote in a blog post.

"The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen."

Three million WWE fan accounts exposed online Marketing firm leaks 200m US citizens' personal data AA: Our handling of security breach fell short

The security hole was uncovered by UpGuard director of cyber risk research Chris Vickery, who discovered an AWS cloud storage bucket, located at the subdomain "mcs-puppet". It contained 72 .tgz files - backups that had been made at regular intervals since June 2017.

The last backup had been created on 30 August - the day before Vickery made Viacom aware of the publicly accessible information. Viacom patched the flaw within hours of Vickery telling it about the issue, according to Deadline.

No employee or customer information was compromised and an analysis found no "material impact", Viacom added.

However, when the files were unpacked, Vickery uncovered sensitive data relating to MTV, VH1 and Comedy Central. Digging deeper, Vickery found passwords and other details for Viacom's servers, the data needed to maintain the company's servers and the data needed to access its AWS account.

"The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity," O'Sullivan said.

"Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom's digital infrastructure."

IT Pro has approached Viacom for comment.

Picture: Bigstock

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.