Image and video clip drip through misconfigured S3 buckets
Typically for images or any other asserts, some form of Access Control List (ACL) is set up. A common way of implementing ACL would be for assets such as profile pictures
One of the keys would act as a вЂњpasswordвЂќ to gain access to the file, additionally the password would simply be offered users who require usage of the image. When it comes to a dating application, it is whoever the profile is presented to.
I’ve identified several misconfigured S3 buckets on The League through the research. All photos and videos are inadvertently made general general public, with metadata such as which user uploaded them when. Usually the application would obtain the pictures through Cloudfront, a CDN on top regarding the buckets that are s3. Unfortunately the s3 that is underlying are severely misconfigured.
Side note: in so far as i can inform, the profile UUID is randomly created server-side if the profile is done. Making sure that asian brides for marriage right part is not likely to be really easy to imagine. The filename is managed by the customer; the host takes any filename. Continue reading Therefore I reverse engineered two dating apps.