Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Forget backdoor hacking—Amazon left the front door wide open, swinging in the wind.
Viewing data from Amazon’s Prime Video platform was left online and accessible without a password, the misconfiguration potentially exposing about 215 million data points to anyone with the know-how to access it.
Among the data exposed on the Elasticsearch database—named “Sauron”—were streaming devices, shows, network information, and whether or not the viewers were Prime customers. Personally identifiable information (PII) was not available, however, a small victory for consumers.
The Sauron breach was detected by security researcher Anurag Sen. Sen told IT Brew that while there wasn’t much PII on the server, the information was still valuable. It’s important user data that advertisers covet.
“These are left so poorly unprotected,” Sen told IT Brew. “Anyone, just by the IP address, can access all the details.”
Sen alerted Amazon to the vulnerability, and it’s since been fixed—the database has been restricted—but the leak shows the danger of leaving unsecured information online.
In a statement to TechCrunch, Amazon spokesperson Adam Montgomery said that the issue was solely with the Prime Video server.
“This problem has been resolved and no account information (including login or payment details) were exposed,” Montgomery said. “This was not an AWS issue; AWS is secure by default and performed as designed.”
Whether or not AWS is secure is somewhat immaterial compared to the level of security breach the open data is revealing. While the information revealed in the leak wasn’t targeted to individuals, the lack of security isn’t reassuring, especially with the valuable user data stored on Amazon and other large service providers and platforms.
“They shouldn’t have left it open, being a big company like Amazon,” Sen told IT Brew, adding, “It’s not up to security standards.”—EH
Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.