Viacom left keys to its kingdom exposed on AWS

Security researchers have found yet another unprotected corporate Amazon Web Services Simple Storage Service (S3) data trove, this time belonging to Viacom, with a full set login credentials for the media giant and its subsidiaries.

Viacom is one of the largest broadcast media and entertainment conglomerates in the world, and operates subsidiary brands such as MTV, Comedy Central, Nickelodeon and Paramount Pictures.

UpGuard, which specialises in cloud data leak protection, found passwords and manifests for Viacom's Multiplafform Compute Services (MCS) group, which provides IT support for the conglomerate and its subsdiaries, inside a compressed file on the AWS S3 store.

An attacker could have used the MCS credentials to control Viacom servers, UpGuard said.

The security vendor also found a master provisioning server running the Puppet configuration and management tool, that could be used to spin up new task-specific servers for Viacom.

If the Puppet server had been compromised, it could have had severe consequences for the company, according to UpGuard.

"Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket," UpGuard wrote.

UpGuard also found the Gnu GPG decryption keys to Viacom regular backups stored in the AWS S3 data repository. Access keys to Viacom's AWS account itself were also stored in the S3 bucket.

After being alerted by UpGuard to the security breach, Viacom secured the AWS S3 instance and it is no longer accessible via the public internet.

Viacom did not confirm what the S3 bucket was being used for.

Neither company has said if any of the data on the S3 storage was accessed without authorisation before being secured.

UpGuard found a similar case back in July in which two million Dow Jones customers had their personal details exposed online via an unsecured S3 repository.

US telco Verizon and government security contractor Booz Allen Hamilton have also fallen afoul of the same misconfiguration issue.

Those cases led AWS to contact customers with S3 buckets configured to be freely accessed by anyone on the internet to review their access controls.