About
Subscribe

Researchers demo cloud security threat

By Nadine Arendse
Johannesburg, 28 Oct 2011

Researchers demo cloud security threat

architectures and enable attackers to gain administrative rights and to gain access to all user , World reports.

While the researchers say they have told AWS about the security holes and AWS has fixed them, they believe the same types of attacks would be effective against other cloud services, "since the relevant Web service standards make performance and security incompatible".

The flaw is located in the WS Security (Web Services Security) protocol and enables attackers to trick servers into authorising digitally signed SOAP (Simple Object Access Protocol) messages that have been altered, PCWorld says.

“Wrapping attacks aim at injecting a faked element into the message structure so that a valid signature covers the unmodified element while the faked one is processed by the application logic. As a result, an attacker can perform an arbitrary Web Service request while authenticating as a legitimate user," the RUB experts explained in a research paper, published in 2009.

In addition, a separate cross-site scripting vulnerability in Amazon's store allowed the team to hijack an AWS session. "We had free access to all customer data, including authentication data, tokens, and even plain text passwords," said Mario Heiderich, who discovered the flaw together with colleagues Juraj Somorovsky and Meiko Jensenone.

According to eSecurity Planet, the new practical attack against Amazon's cloud infrastructure was demonstrated at the ACM Conference on Computer and Communications Security last week, and involved obtaining unauthorised access to an AWS account.

Share