This report was fully disclosed on 17 August 2018
An amazon S3 bucket containing both released and unreleased promotional material, marketing information and media source assets (PSDs, Ai etc) is publicly readable.
Proof of Concept
https://s3.amazonaws.com/bmi.tmobile/ or running the following command
aws s3 ls s3://bmi.tmobile --no-sign-request a remote unauthenticated user is capable of receiving a list of objects stored in this bucket. It appears all objects stored on this server can also be directly downloaded.
- Disable directory listing for unauthenticated users
At the time of publishing this report the reported issue has been resolved.
Attempting to run
aws s3 ls s3://bmi.tmobile --no-sign-request now results in
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
Response From Affected Party
Response from [email protected] 13 Aug 2018
Thank you very much for reaching out to T-Mobile regarding possible security concerns with data on AWS. We appreciate the opportunity to address any potential issues. We’re investigating your report, and will reply as soon as possible with results/next steps. Again, thank you very much for bringing this to our attention!
Response from [email protected] 17 Aug 2018
Hello Glitch Witch,
Thank you for checking in. The issue should now be resolved. Please let us know if you see anything that indicates it is not. Thank you again for your help!
- 10 August 2018: Affected Party Notified
- 17 August 2018: Affected Party Released Patch (+7 days)
- 17 August 2018: Report Published (+7 days)