Researchers demonstrated how vulnerable cloud computing services are if proper security measures are not taken
Researchers from the Horst Goertz Institute of the Ruhr-University Bochum, Germany have displayed an account hijacking attack against Amazon Web Services (AWS) which they believe affects other cloud computing products too. Using a technique known as XML signature wrapping or XML rewriting, the attack exploits loopholes to validate requests in Web services.
The loophole is located in the Web Services Security or the WS-Security protocol; this enables hackers to dodge servers into validating digitally signed Simple Object Access Protocol (SOAP)
“Wrapping attacks aim at injecting a faked element into the message structure so that a valid signature covers the unmodified element while the faked one is processed by the application logic. As a result, an attacker can perform an arbitrary Web Service request while authenticating as a legitimate user,” experts of RUB explained the hacking in a paper published two years back.
Last week, another practical hack against Amazon’s cloud infrastructure was displayed at the ACM Conference on Computer and Communications Security. The demonstration showed how one can get unauthorized access to Amazon’s Web Services. Researchers were able to create and delete new images on the Elastic Cloud Computing (EC2) using the XML signature wrapping. They were also able to perform different administrative tasks.
The researchers at the conference made use of cross-site scripting (XSS) vulnerability in Amazon’s store which allowed them to hijack an AWS session. “We had free access to all customer data, including authentication data, tokens, and even plain text passwords,” said Mario Heiderich, group leader of researches. Mario Heiderich discovered the loophole together with colleagues Juraj Somorvsky and Meiko Jensenone. “It’s a chain reaction. A security gap in the complex Amazon shop always also directly causes a gap in the Amazon cloud,” Mario explained.
After the discovery of these loopholes, Amazon updated its system to address these issues. But researchers suspect that other cloud computing platforms are also affected. They have already found an open source solutions called Eucalyptus which is used for private cloud computing infrastructure. It was found that Eucalyptus is also vulnerable to XML rewriting attacks.
Joerg Schwenk, the head of network and data security at the HGI and also the co-ordinator of the research team who discover Amazon’s loophole said, “We find these flaws in nearly every implementation. Other vendors are vulnerable, but we do not know of any other vendors using SOAP for accessing their cloud services”. His team also displayed an attack which exposes the vulnerability in the XML Encryption Standard.