BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Sign of the Times: Exploiting Poor Validation of AWS SNS\n SigningCertUrl\n When: Sunday\, Aug 14\, 12:30 - 12:50 PDT\n Where: Flamingo - Sunset-Scenic Ballroom (Cloud Village) - [1]Map\n\n Sp eakerBio:Eugene Lim \, Cybersecurity Specialist\, Government\n Technolog y Agency of Singapore\n Eugene (spaceraccoon) hacks for good! At GovTech Singapore\, he\n protects citizen data and government systems through s ecurity\n research. He also develops SecOps integrations to secure code at\n scale. He recently reported remote code execution vulnerabilities i n\n Microsoft Office and Apache OpenOffice and discussed defensive codin g\n techniques he observed from hacking Synology Network Attached Storag e\n devices at ShmooCon.\n\n As a bug hunter\, he helps secure product s globally\, from Amazon to\n Zendesk. In 2021\, he was selected from a pool of 1 million registered\n hackers for HackerOne's H1-Elite Hall of Fame. Besides bug hunting\, he\n builds security tools\, including a mal icious npm package scanner and a\n social engineering honeypot that were presented at Black Hat Arsenal.\n He writes about his research on [2]ht tps://spaceraccoon.dev.\n\n He enjoys tinkering with new technologies. H e presented "Hacking\n Humans with AI as a Service" at DEF CON 29 and at tended IBM's Qiskit\n Global Quantum Machine Learning Summer School.\n\n Twitter: [3]@spaceraccoonsec\n\n Description:\n Countless projects rely on Amazon Web Services' Simple Notification\n Service for applicati on-to-application communication such as webhooks\n and callbacks. To ver ify the authenticity of these messages\, these\n projects use certificat e-based signature validation based on the\n SigningCertURL value. Unfort unately\, developers are tasked with\n verifying the authenticity of the certificate URL themselves\, creating\n a vulnerable-by-default 'config uration over convention' situation that\n spawns numerous vulnerabilitie s. This is an official design pattern\n recommended by AWS itself ([4]ht tps://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.ht ml).\n I will demonstrate how various custom checks and regexes in real\ n projects can be bypassed to forge SNS messages by leveraging a\n nam espace clash with Amazon S3. Attackers can generate and host their\n own public keys on S3 buckets that pass custom verification checks\,\n allo wing them to trigger sensitive webhook functionality. In addition\,\n I will go further to discuss a key loophole (pending disclosure) in\n offi cial AWS SDKs like sns-validator that affects all downstream\n dependent s\, from Firefox Monitor to the 70 million download/week\n Definitely Ty ped package. I will dive into possible short-\, medium-\,\n and long-ter m fixes pending AWS' own patch. As a result\, attendees\n will walk away with a better understanding of the difficulties in\n securing trusted a pplication-to-application cloud messaging tools. I\n will discuss how to code defensively by going for convention over\n configuration in cloud architecture. I will also provide pointers on\n discovering vulnerable S NS webhook implementations through code\n review.\n '\n\n 1. https:/ /defcon.outel.org/consolidated_page.html#FlamingoThirdFloor\n 2. https:/ /spaceraccoon.dev.\n 3. https://twitter.com/spaceraccoonsec\n 4. https ://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html\ n\n\n DTEND:20220814T195000Z DTSTART:20220814T193000Z LOCATION:CLV - Flamingo - Sunset-Scenic Ballroom (Cloud Village) SUMMARY:Sign of the Times: Exploiting Poor Validation of AWS SNS SigningCer tUrl END:VEVENT END:VCALENDAR