its worse than this.
another, far worse wallet attack can also be used if they know the bucket name youre using in S3. they can generate an obscene amount of invalid requests you pay for that quickly ads up, and amazons response is ‘so?’
The lead of s3 actually did indicate that they are planning changes in response to that article. Hopefully we see a change there soon.
Edit: found the link
thank pasta. this ‘security through obscurity’ policy is freakin me out
Totally agree. I have a close friend that works at AWS (although not anywhere close to s3) and this article was making the rounds internally. I know people have been upset about this, but it genuinely just sounds like one of those edge cases they overlooked until it was exposed. It sucks, but any developer has a good story of a time they’ve done it. Hopefully they get a fix out soon.
Would adding Cloudfront in front of the s3 bucket prevent against this type of attack? Does canceling the connection to the cloudfront distribution cause the same behavior with regard to s3 egress?
