Unsecured AWS bucket 'left Viacom open to hackers'

The public server exposed media firm's cloud to potential attacks

Leaky bucket

UpGuard has revealed a security hole in a Viacom server that it claims could have potentially allowed hackers to take control of the media giant's entire cloud infrastructure.

The company behind Paramount Pictures, MTV, Comedy Central and Nickelodeon was exposing a master provisioning server running Puppet to the general public, plus the credentials needed to build and maintain the majority of its infrastructure, according to UpGuard.

Even its secret cloud keys were possible to steal and use, allowing hackers to break into the company's entire cloud-based server network, launching a large-scale cyber attack. The data could be used for phishing, for example using the company's name to carry out malicious attacks or hackers could spin off additional servers to use Viacom's servers as a botnet.

"This cloud leak exposed the master controls of the world's sixth-largest media corporation, potentially enabling the takeover of Viacom's internal IT infrastructure and internet presence by any malicious actors," Upguard's Dan O'Sullivan wrote in a blog post.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen."

The security hole was uncovered by UpGuard director of cyber risk research Chris Vickery, who discovered an AWS cloud storage bucket, located at the subdomain "mcs-puppet". It contained 72 .tgz files - backups that had been made at regular intervals since June 2017.

The last backup had been created on 30 August - the day before Vickery made Viacom aware of the publicly accessible information. Viacom patched the flaw within hours of Vickery telling it about the issue, according to Deadline.

No employee or customer information was compromised and an analysis found no "material impact", Viacom added.

However, when the files were unpacked, Vickery uncovered sensitive data relating to MTV, VH1 and Comedy Central. Digging deeper, Vickery found passwords and other details for Viacom's servers, the data needed to maintain the company's servers and the data needed to access its AWS account.

"The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity," O'Sullivan said.

Advertisement - Article continues below

"Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom's digital infrastructure."

IT Pro has approached Viacom for comment.

Picture: Bigstock

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/security/cyber-security/354827/mcafee-researchers-trick-tesla-autopilot-with-a-strip-of-tape
cyber security

McAfee researchers trick Tesla autopilot with a strip of tape

21 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020