WeSearch

I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

·2 min read · 0 reactions · 0 comments · 13 views
#api#security#vulnerability
I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty
⚡ TL;DR · AI summary

A security researcher discovered a vulnerability in a fintech's mobile API that allowed unauthorized access to account data. By exploiting a flaw in the AWS HTTP API's path matching, the researcher was able to bypass authentication checks and retrieve sensitive information. The issue was reported and promptly fixed, resulting in a $12,000 bounty for the researcher.

Key facts
Original article
Blogspot
Read full at Blogspot →
Opening excerpt (first ~120 words) tap to expand

I was poking at a fintech’s mobile API and noticed something that made no sense. GET /v1/accounts returned 401. GET /v1/accounts/ returned 200 with full account data. One character. Completely different security posture.What I was looking atThe API ran on AWS HTTP API — the newer, cheaper alternative to REST API. Lambda authorizer checked a JWT against Cognito, returned an IAM policy. Standard.Routes in OpenAPI:YAML/v1/accounts: get: x-amazon-apigateway-integration: uri: arn:aws:apigateway:... /v1/accounts/{accountId}: get: x-amazon-apigateway-integration: uri: arn:aws:apigateway:...The authorizer ran on every request.

Excerpt limited to ~120 words for fair-use compliance. The full article is at Blogspot.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from Blogspot

Man Becomes the Sex Organs of the Machine World (2012)
Blogspot·9
Ahoy, DECmate II the little PDP-8 that could
Blogspot·18
Separate the Cord from the Device
Blogspot·13
The Densest (Urban) Environment in the World
Blogspot·14
OpenSMTPD Is The Mail Server For The Future
Blogspot·13
If an LLM is too expensive it won't be next year
Blogspot·12