Unsecured AWS bucket 'left Viacom open to hackers'

The public server exposed media firm's cloud to potential attacks

UpGuard has revealed a security hole in a Viacom server that it claims could have potentially allowed hackers to take control of the media giant's entire cloud infrastructure.

The company behind Paramount Pictures, MTV, Comedy Central and Nickelodeon was exposing a master provisioning server running Puppet to the general public, plus the credentials needed to build and maintain the majority of its infrastructure, according to UpGuard.

Even its secret cloud keys were possible to steal and use, allowing hackers to break into the company's entire cloud-based server network, launching a large-scale cyber attack. The data could be used for phishing, for example using the company's name to carry out malicious attacks or hackers could spin off additional servers to use Viacom's servers as a botnet.

"This cloud leak exposed the master controls of the world's sixth-largest media corporation, potentially enabling the takeover of Viacom's internal IT infrastructure and internet presence by any malicious actors," Upguard's Dan O'Sullivan wrote in a blog post.

"The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen."

The security hole was uncovered by UpGuard director of cyber risk research Chris Vickery, who discovered an AWS cloud storage bucket, located at the subdomain "mcs-puppet". It contained 72 .tgz files - backups that had been made at regular intervals since June 2017.

The last backup had been created on 30 August - the day before Vickery made Viacom aware of the publicly accessible information. Viacom patched the flaw within hours of Vickery telling it about the issue, according to Deadline.

No employee or customer information was compromised and an analysis found no "material impact", Viacom added.

However, when the files were unpacked, Vickery uncovered sensitive data relating to MTV, VH1 and Comedy Central. Digging deeper, Vickery found passwords and other details for Viacom's servers, the data needed to maintain the company's servers and the data needed to access its AWS account.

"The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity," O'Sullivan said.

"Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom's digital infrastructure."

IT Pro has approached Viacom for comment.

Picture: Bigstock

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021
Keeper Security review: Keeps corporate password management simple
Software

Keeper Security review: Keeps corporate password management simple

9 Jul 2021
Dashlane review: A very web-focused password manager
Security

Dashlane review: A very web-focused password manager

2 Jul 2021
LastPass review: Great to administrate, a little clunky to use
Software

LastPass review: Great to administrate, a little clunky to use

25 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021