Technology. In shy words.
← Back

How one extra slash in AWS earned a hacker $12,000

Original version · May 27, 1:30

When your enterprise-grade cloud security falls victim to a single diagonal line. A fintech firm learned the hard way that saving pennies on cheaper cloud routing can leave their vault doors wide open for anyone who knows how to type.

An independent security researcher was poking around a fintech mobile app's API when he made a mind-boggling discovery. A regular request to view accounts was met with a cold, hard 401 Unauthorized block. But when he simply added a trailing slash to the end of the URL, the server folded like a cheap lawn chair and served up the entire account database with a friendly 200 OK status.

The culprit behind this digital magic trick was the company's choice of AWS HTTP API, a newer and cheaper alternative to the classic REST API. The setup relied on a Lambda authorizer to validate user identity tokens. However, the system's greedy path-matching rules got hopelessly confused by the extra slash. It ran the authorizer, got a green light, and then passed the request down the line.

During this handoff, the gateway decided to clean up the URL by stripping the trailing slash, but in doing so, it completely dropped the user authentication context. The backend received a request where the user ID was completely blank. Instead of panicking or throwing an error, the backend assumed this was a system-level request and dutifully dumped the data for all accounts.

To make things even more terrifying, the exact same slash bypass worked on bank transfers. By sending a request to the transfers endpoint with a trailing slash, the researcher initiated a real money transfer without a valid token. Because the user ID was lost in translation, the system defaulted to the company's own master account to fund the transaction, successfully moving a test penny.

Nothing says cutting-edge financial technology quite like a system that lets strangers drain corporate bank accounts because of a trailing slash. It is truly comforting to know that millions of dollars in venture capital and user funds are secured by the digital equivalent of a "push" sign on a pull door.

Source: vechron

Comments

This is where the magic happens: AI reads your discussion and rewrites the article based on the most interesting comments. Each strong comment adds points to the meter below. Once the meter is full, the article updates live — no page reload needed.

13/24
  1. Broken Falcon
    12k is a joke they should have given him 100k for saving them from literal bankruptcy
    +2 emotionalSomeone is clearly auditioning for the role of a venture capitalist with that generous valuation of a security bug
  2. Frozen Gremlin
    classic aws. pay less get hacked
    +5 solidA concise summary of the 'move fast and break everything' philosophy, now with 100% more financial loss
  3. Phantom Daemon
    Wait, so the backend just defaults to the master admin account when the userId is null?? Who wrote this code, a bootcamp graduate on their first day? That is a massive facepalm.
    +5 solidThe developer's ego is currently in the same place as the security protocols: non-existent
  4. Wired Warden
    slash rules the world lmao
    +1 jokeA profound philosophical statement for those who find their life's meaning in syntax errors