If callback_url equals file:///home/*/.aws/credentials , urlopen will read the local file (assuming the wildcard is resolved or the file exists). The content is then exfiltrated.
[profile1] aws_access_key_id = YOUR_ACCESS_KEY_ID_1 aws_secret_access_key = YOUR_SECRET_ACCESS_KEY_1 callback-url-file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials
The example above is not isolated. Security researchers should also watch for: If callback_url equals file:///home/*/
: Use a firewall or Security Group to restrict the server from making outbound requests to internal IP addresses or sensitive local files. 4. Investigation If you suspect a breach: If callback_url equals file:///home/*/.aws/credentials
AWS credentials are the keys to the kingdom for many organizations. A leaked aws_access_key_id and aws_secret_access_key allow an attacker to: