IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Unsecured AWS bucket 'left Viacom open to hackers'

The public server exposed media firm's cloud to potential attacks

UpGuard has revealed a security hole in a Viacom server that it claims could have potentially allowed hackers to take control of the media giant's entire cloud infrastructure.

The company behind Paramount Pictures, MTV, Comedy Central and Nickelodeon was exposing a master provisioning server running Puppet to the general public, plus the credentials needed to build and maintain the majority of its infrastructure, according to UpGuard.

Even its secret cloud keys were possible to steal and use, allowing hackers to break into the company's entire cloud-based server network, launching a large-scale cyber attack. The data could be used for phishing, for example using the company's name to carry out malicious attacks or hackers could spin off additional servers to use Viacom's servers as a botnet.

"This cloud leak exposed the master controls of the world's sixth-largest media corporation, potentially enabling the takeover of Viacom's internal IT infrastructure and internet presence by any malicious actors," Upguard's Dan O'Sullivan wrote in a blog post.

"The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen."

The security hole was uncovered by UpGuard director of cyber risk research Chris Vickery, who discovered an AWS cloud storage bucket, located at the subdomain "mcs-puppet". It contained 72 .tgz files - backups that had been made at regular intervals since June 2017.

The last backup had been created on 30 August - the day before Vickery made Viacom aware of the publicly accessible information. Viacom patched the flaw within hours of Vickery telling it about the issue, according to Deadline.

No employee or customer information was compromised and an analysis found no "material impact", Viacom added.

However, when the files were unpacked, Vickery uncovered sensitive data relating to MTV, VH1 and Comedy Central. Digging deeper, Vickery found passwords and other details for Viacom's servers, the data needed to maintain the company's servers and the data needed to access its AWS account.

"The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity," O'Sullivan said.

"Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom's digital infrastructure."

IT Pro has approached Viacom for comment.

Picture: Bigstock

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Google merges Chrome and Android password managers after community feedback
Security

Google merges Chrome and Android password managers after community feedback

1 Jul 2022
Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022