This report was fully disclosed on 17 August 2018

Summary

An amazon S3 bucket containing both released and unreleased promotional material, marketing information and media source assets (PSDs, Ai etc) is publicly readable.

Proof of Concept

By visiting https://s3.amazonaws.com/bmi.tmobile/ or running the following command aws s3 ls s3://bmi.tmobile --no-sign-request a remote unauthenticated user is capable of receiving a list of objects stored in this bucket. It appears all objects stored on this server can also be directly downloaded.

  • Disable directory listing for unauthenticated users

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Attempting to run aws s3 ls s3://bmi.tmobile --no-sign-request now results in An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

Response From Affected Party

Response from [email protected] 13 Aug 2018

Thank you very much for reaching out to T-Mobile regarding possible security concerns with data on AWS. We appreciate the opportunity to address any potential issues. We’re investigating your report, and will reply as soon as possible with results/next steps. Again, thank you very much for bringing this to our attention!

regards,

T-Mobile Security

Response from [email protected] 17 Aug 2018

Hello Glitch Witch,

Thank you for checking in. The issue should now be resolved. Please let us know if you see anything that indicates it is not. Thank you again for your help!

T-Mobile Security

Timeline

  • 10 August 2018: Affected Party Notified
  • 17 August 2018: Affected Party Released Patch (+7 days)
  • 17 August 2018: Report Published (+7 days)