Viacom's 'Master Controls' Exposed in Another Amazon S3 Error
Another week, another instance of a high-profile organization leaving its sensitive data in the Amazon Web Services (AWS) cloud with little to no security protections.
Viacom Inc., a major media and entertainment conglomerate whose brands include MTV, Comedy Central and Paramount Pictures, was found to have stored important information related to its IT infrastructure in an Amazon Simple Storage Service (S3) bucket that was wide open to the public.
The exposure was discovered at the end of August and publicly reported on Tuesday by researchers at UpGuard Inc., which has spent the past few months ferreting out similar incidents -- including those involving the Republican National Committee, Verizon, Dow Jones & Company, the Chicago Election Board and military contractor TigerSwan -- that have left personal and sensitive data exposed due to misconfigured S3 access controls.
In the case of Viacom, the vulnerable data did not include individuals' private information, but "the master controls" of the company's IT infrastructure. According to UpGuard's report, the exposed data involved:
a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation's business operations. Exposed in the leak are a master provisioning server running Puppet, left accessible to the public internet, as well as the credentials needed to build and maintain Viacom servers across the media empire's many subsidiaries and dozens of brands. Perhaps most damaging among the exposed data are Viacom's secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate's cloud-based servers in the hands of hackers.
UpGuard said it discovered the exposed data on Aug. 30 and alerted Viacom on Aug. 31. Viacom then secured its data "within hours" of learning about the exposure.
The data had been stored in a publicly accessible S3 bucket in the "mcs-puppet" subdomain, according to UpGuard, which determined that "mcs" referred to Viacom's Multiplatform Compute Services unit. Based on job listing descriptions, this unit is responsible for managing, configuring and monitoring the IT systems behind Viacom's network of Web sites.
The bucket appeared to contain "the primary or backup configuration of Viacom's IT infrastructure," UpGuard said, as well as the credentials for the company's AWS account.
Also contained in the bucket were files linked to Viacom's Puppet account. Puppet is a provider of solutions that can be used to automate the provisioning of new servers in an organization. The exposure of this information could have had particularly broad implications for Viacom, according to UpGuard: "Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well."
Essentially, Viacom left the blueprints for its current and future IT infrastructure exposed in the public cloud, which would have put the company in dire straits if that information had been found by cybercriminals, argued UpGuard researchers. For example, criminals could have taken control Viacom's popular digital brands to cook up wide-reaching phishing schemes, or spun up new servers in its network to operate as botnets.
"The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating," the researchers said. "When it comes to data exposures, quality can be as vital as quantity."
For its part, Viacom said that it reviewed the data in question after UpGuard alerted the company and determined that none of it had been compromised.
"Once Viacom became aware that information on a server -- including technical information, but no employee or customer information -- was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact," the company said in a statement to media.
Gladys Rama is the senior site producer for Redmondmag.com, RCPmag.com and MCPmag.com.