back to article Open AWS S3 bucket leaked hotel booking credit card authorizations

Another day, another misconfigured AWS storage bucket leaking corporate data, this time from hotel booking service Groupize. The find was made by Kromtech Security Center researchers and is detailed at MacKeeper. The discovery has sparked a spat between Kromtech and Groupize, with the latter denying that anything sensitive …

  1. Adam 52 Silver badge

    I don't have confidence in MacKeeper here. Their "story" can't decide if it wants to be a news item or a vulnerability report. You don't say "Online Service Offering Group Hotel Bookings Allegedly Exposed Sensitive..." if it's you yourself making the allegations.

    Either you have confidence in what you're saying in or you don't. If you have confidence publish your findings. If you don't have confidence shut up until you do. Don't hide behind "allegedly".

  2. This post has been deleted by its author

  3. wyatt

    Sounds like fun for someone, however whilst the host was AWS they're not in anyway to blame are they? I work with equipment that can make a business fail their PCI-DSS compliance tests with one incorrectly set password (as I'm sure do many of us). Not the equipments fault though..

    1. Ian Michael Gumby

      @Wyatt

      AWS has a lot of security going for it.

      However unless you turn it on... its useless.

      Clearly this is the guy who put the data up there's fault.

      The issue is that many don't view the cloud as a separate entity where you need to lock things down, but an extension of their own data center(s) where you're behind a firewall.

      This is a good example of why the cloud is less secure than your very own data center.

      1. wyatt

        Re: @Wyatt

        I do see your point, I suppose it's going to take a while for (some) admins to get their game up to speed in using off site providers.

  4. Stevie

    Bah!

    Oh dear, someone persisted ccv codes despite being told by Visa et al not to?

    Well, I see no alternative. Canings all round, followed by a week wearing the conical hat of extreme stupid.

    1. hellwig

      Re: Bah!

      What, and have to look up the CCV code EVERY TIME I reserve a hotel room? Why don't I just pay with sea-shells and colorful beads? Jeese!

  5. macjules

    Anything about RDS?

    It is not so much the buckets that fill me with dread ... its the bloody developers who think that it is a good idea to deploy public-facing Aurora databases with complex passwords like 'root', or 'password'. I recently disabled one db like this and sent the developer an email about password security. I notice from LastPass that the database password had been updated to "F11ck0ffC*nt" .. changed since the client also has access to the db.

    1. Korev Silver badge

      Re: Anything about RDS?

      Wow, that's seriously unprofessional. Does his manager know?

      1. Adam 52 Silver badge

        Re: Anything about RDS?

        Indeed, the new password is likely to be very early on in a dictionary attack.

        Oh, you mean the poor coding and attitude to constructive comment. That's just depressingly familiar.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like