A classic Corona evening in May: IT security and cloud expert Thomas Krauss is watching a lecture from an AWS conference on YouTube. There the speaker is setting up a new user account and password and declaring that he has to do it very quickly – so that the passcode cannot be seen. “Wait a minute”, Krauss thinks, rewinds the video a few frames and sees the access code.
The speaker at the AWS conference is just one example of many. There are numerous recordings of conferences and tutorials on YouTube, in which the lecturers set up cloud services with user accounts and generate and copy access data. Together with his work colleagues at the pentesting company Syss, Krauss begins to search for access data in YouTube videos – and always finds it. A security problem.
“Most of the tutorials use virtual machines, because the access data is often not very useful, but for cloud services, anyone can log in with the access data”, explains Krauss. If the lecturers do not delete the accounts immediately, the data can be misused by third parties, for example to use paid services or to carry out bitcoin mining.
Passwords in almost every fifth YouTube tutorial
The Syss employees want to know how big the problem really is and start looking for videos on YouTube that could contain cloud access data. They look through the videos manually and save their URLs and access data in a list. “Usually the accounts are created at the end of the first third of the tutorials”, explains Krauss. In total, they watch around 550 YouTube videos and find access data in 100 videos. However, not all are equally legible. Especially 0 and O or I and l look pretty much the same, depending on the font in the terminal or in the editor.
Stellenmarkt
So IT security consultant Fabian Krone unceremoniously writes a tool that generates the various options and tries them out at AWS. With six of the 100 access data discovered, the security researchers can actually log on to AWS – the speakers did not delete the accounts. “Between one and six percent of the cloud tutorials on Youtube contain valid access data”Krauss estimates. “We have informed those affected about the access data finds.”
Amazon is watching YouTube
But to work through more than 500 YouTube tutorials for six valid access data is complex. “The cognitive task is to recognize text in a video,” explains Krauss. “Machines can do that too.” To ironically search for the AWS access data, he ironically picks up Amazon’s video evaluation service Rekognition back. That works, but it takes a lot of work, because recognition misunderstands a lot more signs than people.
Please activate Javascript.
Or use that Golem pure offer
and read Golem.de
- without advertisement
- with javascript turned off
- with RSS full text feed
–
