Security flaw in cloud architectures including Amazon Web Services

Security researchers from Germany's Ruhr University have uncovered flaws in Amazon Web Services that allowed them to gain administrative rights and access user data. While the vulnerabilities in AWS have since been fixed, the researchers believe that similar problems could exist in many cloud architectures.

In a nutshell, the flaw revolves around how an XML signature-based attack can be used to manipulate SOAP messages and have the manipulated results register as authentic. A separate cross-site scripting flaw also allowed the researchers to potentially hijack an AWS session to access customer data, though not including payment information or account passwords.

According to the Rhur team, Eucalyptus, an open source solution commonly used for private cloud computing, is also vulnerable to XML rewriting attacks. Indeed, the team noted that flaws were found in "nearly every implementation," though the severity of the problem may vary depending on actual implementations.

Amazon (NASDAQ: AMZN) had been quick to rectify both problems, and gave the assurance that no customers have been infected. In a statement, the cloud computing giant wrote: "It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported."

You can read the full research paper here (.pdf).

For more on this story:
- check out this article at Computerworld
- check out this article at The Register
- check out this article at PCWorld

Related Articles:
SoundOff: What we've learned about the cloud in 2011
Top cloud services ranked by speed
Worst ever BlackBerry outage highlights imperfection of the cloud model