HBO database exposureBack to blog
One of those breaches you’d never knew it happened but it did, and we think you should know about it.
Since 2014 The Kromtech Security Center has helped to secure the sensitive data of millions of people from all over the world and identified exposed data from governments, companies, and organizations. A data leak can cause irreparable harm and we believe private data should remain private. Far too often simple human errors can expose sensitive data and the Kromtech Security Center has tried to bring attention to the importance of data security through news and security warnings.
Last week it has come to our attention through our research with our newly released tools - S3 Inspector (https://github.com/kromtech/s3-inspector) and Key Inspector (https://github.com/kromtech/key-inspector) that a cloud repository with affiliations to HBO has been exposed to the public internet. More specifically, s3 Amazon bucket hosted at a publicly accessible domain was open for anybody to access.
Among other stuff, several plain text API keys and links to other storages could have potentially opened a door for more, especially for people with malicious intent. These potentially sensitive files were available for view / edit / download for AWS authenticated users.
The database also contained scripts for accessing HBO modules in Asia region mostly, libraries with localizations, css stylesheets. The most sensitive stuff - two plain text API keys and links to other S3 storages with potentially much more info.
After sending notification email to the HBO security team on Friday, Jan 19th, bucket has been immediately secured, however, no further comments received.
The Dangers of API Keys public exposure
The real problem with exposed API keys is that they can create exposure to unauthorized access through authentication factors and cyber criminals can potentially discover unintended loopholes. Another issue is that API endpoints are often ignored from a security standpoint and once they are created they are often forgot about or ignored. It is unclear if anyone else has used these specific keys and Kromtech security researchers did not access them but only identified that they were publically available online.
HBO has had a bad year with security in 2017.
In 2017 a hacker going by the name “Mr. Smith” posted five scripts for the hit show Game of Thrones after trying to extort the company for $6 million. Security experts believe that the breech happened through phishing, malware attacks and social engineering tactics. The cyber criminal then released emails from HBO’ Vice President for Film Programming Leslie Cohen and other internal corporate information and around the same time another group hijacked the company’s Twitter account. Given the high profile nature of these hacks and the well published coverage in the media you would think that HBO and their 3rd party partner vendors would be one of the most secure organizations and not still leaking API keys or other possible vulnerable data online. HBO’s security concerns highlight just how hard it is to secure data and how companies need to do more to protect what they store online.