[BUG] : S3 Bucket Takeover At GH Repo:https://github.com/onflow/FRW-Android.git Can Lead To XSS Or Arbitrary Malicious Code Injection.

by ADMIN 135 views

[BUG] : S3 Bucket Takeover at GH Repo: https://github.com/onflow/FRW-Android.git Can Lead to XSS or Arbitrary Malicious Code Injection

Describe the Bug

Critical Vulnerability Discovered in Flow.com's GitHub Repository

A critical bug has been discovered in the GitHub repository of flow.com, a reputable organization. The bug involves an S3 bucket takeover, which can lead to XSS (Cross-Site Scripting) or arbitrary malicious code injection. This vulnerability was discovered by a security researcher who enumerated over flow.com's GitHub code and found image logo URLs referencing an unknown and unclaimed S3 bucket.

Update 14 March: The bug was initially submitted on 7 Feb 2025 through the bug bounty program, but due to a delay, it was not received by the bug bounty team. On Feb 25, 2025, after two weeks of the submission, the bucket was removed from some files through a commit. However, one file still referenced the same bucket. For a detailed bug report, please see the report submitted earlier through the bug bounty program.

Gmail - Critical Bug_ S3 bucket takeover can lead to XSS or arbitrary malicious code injection_.pdf

Expected Experience

Impact of the Bug

  1. Unknown Unclaimed S3 Bucket: The bug can lead to an unknown and unclaimed S3 bucket, which can be fatal for users. It can easily lead to XSS or arbitrary code injection at the user's end or in the worst case, lead to RCE (Remote Code Execution) also.
Image
  1. Arbitrary Code Injection: An attacker can replace requested files with malicious files or redirect all user requests to this bucket to another bucket or an attacker-controlled website. For information about redirecting requests, please refer to this aws-doc.

Proof of Concept (POC)

You can also view this POC video, which was made to show the impact only using a test S3 bucket.

POC-xss-and-arbitrary-code-injection-for-impact-testing-only

In this video, a small scenario is shown, but an attacker can escalate it to some other severe vulnerabilities.

Remediation

Steps to Fix the Bug

  1. Remove the Bucket Link: Remove the bucket link or replace it with another bucket link.
  2. Delete/Unclaim the Bucket: If you want the same bucket, the researcher will delete/unclaim the bucket.

Steps to Reproduce

Steps to Reproduce the Bug

  1. Go to GitHub Code: Go to the GitHub code of flow.com: https://github.com/onflow
  2. Search Bucket: Search for the bucket "rcrdshp-happyfox-assets." You will see all 4 references to this bucket.
Image
  1. Access the Bucket: Now, when you try to access the bucket, you will see "Access Denied" as the researcher has taken over the bucket.

Image

  1. NoSuchBucket: But before it shows "NoSuchBucket."

Image

Environment

- OS: -
- Node: -
- npm: -

Note: The environment details are not provided as the bug is not related to any specific environment or configuration.
[BUG] : S3 Bucket Takeover at GH Repo: https://github.com/onflow/FRW-Android.git Can Lead to XSS or Arbitrary Malicious Code Injection

Q&A: S3 Bucket Takeover Bug

Q: What is the S3 bucket takeover bug?

A: The S3 bucket takeover bug is a critical vulnerability discovered in the GitHub repository of flow.com. It involves an S3 bucket takeover, which can lead to XSS (Cross-Site Scripting) or arbitrary malicious code injection.

Q: What is the impact of the bug?

A: The bug can lead to an unknown and unclaimed S3 bucket, which can be fatal for users. It can easily lead to XSS or arbitrary code injection at the user's end or in the worst case, lead to RCE (Remote Code Execution) also.

Q: How can an attacker exploit the bug?

A: An attacker can replace requested files with malicious files or redirect all user requests to this bucket to another bucket or an attacker-controlled website.

Q: What is the proof of concept (POC) for the bug?

A: You can view the POC video, which was made to show the impact only using a test S3 bucket.

POC-xss-and-arbitrary-code-injection-for-impact-testing-only

Q: How can the bug be fixed?

A: The bug can be fixed by removing the bucket link or replacing it with another bucket link. If you want the same bucket, the researcher will delete/unclaim the bucket.

Q: What are the steps to reproduce the bug?

A: The steps to reproduce the bug are as follows:

  1. Go to the GitHub code of flow.com: https://github.com/onflow
  2. Search for the bucket "rcrdshp-happyfox-assets." You will see all 4 references to this bucket.
  3. Now, when you try to access the bucket, you will see "Access Denied" as the researcher has taken over the bucket.
  4. But before it shows "NoSuchBucket."

Q: What is the environment required to reproduce the bug?

A: The environment details are not provided as the bug is not related to any specific environment or configuration.

Q: Who discovered the bug?

A: The bug was discovered by a security researcher who enumerated over flow.com's GitHub code and found image logo URLs referencing an unknown and unclaimed S3 bucket.

Q: When was the bug submitted?

A: The bug was initially submitted on 7 Feb 2025 through the bug bounty program, but due to a delay, it was not received by the bug bounty team.

Q: What is the current status of the bug?

A: The bug is currently being fixed by removing the bucket link or replacing it with another bucket link.

Q: How can I stay updated on the bug?

A: You can stay updated on the bug by following the GitHub repository of flow.com and checking for any updates on the bug.

Q: What is the contact information of the researcher who discovered the bug?

A: The contact information of the researcher who discovered the bug is not provided as it is not publicly available.

Q: Can I reproduce the bug in a test environment?

A: Yes, you can reproduce the bug in a test environment by following the steps to reproduce the bug.

Q: Is the bug related to any specific environment or configuration?

A: No, the bug is not related to any specific environment or configuration.

Q: Can I use the bug for malicious purposes?

A: No, the bug should not be used for malicious purposes. It is a critical vulnerability that can lead to XSS or arbitrary malicious code injection.

Q: How can I report a similar bug?

A: If you discover a similar bug, you can report it to the bug bounty program of flow.com or the GitHub repository of flow.com.