A Technical Analysis of the Capital One Hack
The recent disclosure of yet another cloud security misconfiguration leading to the loss of sensitive personal information made the headlines this past week. This particular incident came with a bit more information from the indictment of the accused party, allowing us to piece together the revealed data and take an educated guess as to what may have transpired leading up to the loss of over 100 million credit card applications and 100 thousand social security numbers. At the root of the hack lies a common refrain: the misconfiguration of cloud infrastructure resources allowed an unauthorized user to elevate her privileges and compromise sensitive documents.
Similar incidents have made the news over the past 2–3 years, including the high-profile leak of nearly 200 million voter records, terabytes of classified documents from the pentagon, and half-a-billion Facebook profiles. According to the 12-page indictment (PDF), this compromise originated with the invocation of arbitrary user requests on a server ran by Capital One in its AWS account. The indictment does not detail the specific vulnerability that enabled these commands, but most signs point to it being a Server-Side Request Forgery (SSRF) attack.
An SSRF attack tricks a server into executing commands on behalf of a remote user, enabling the user to treat the server as a proxy for his or her requests and get access to non-public endpoints.