Capital One (2019)
On July 17, 2019, Capital One’s security team was alerted to a data leak by an email sent to their responsible disclosure box. A user reported that a GitHub repository contained suspicious commands to exfiltrate data from an AWS S3 storage belonging to the bank. Examination of these commands revealed a critical flaw: in just a few lines executed via the AWS CLI interface, an attacker could retrieve the authentication information of an IAM role, list all associated S3 buckets and massively download their contents. Log analysis showed that these commands had been executed several months earlier, potentially compromising the sensitive data of millions of customers (Capital One Cyber Incident).
Further investigation revealed the attack chain exploited. The attacker had exploited a Server-Side Request Forgery (SSRF) flaw on an exposed web server, a reverse proxy using ModSecurity, hosted on an AWS EC2 instance. By bypassing filtering rules, the attacker was able to query the EC2 instance’s metadata service, an internal service that provides sensitive information, including the temporary credentials of IAM roles attached to the instance (Server-Side Request Forgery (SSRF)). Using these credentials, he was able to execute commands as this role and gain free access to the associated AWS resources.
The final link in the flaw lay in the misconfiguration of IAM permissions. The compromised role had excessive rights, including read access to all S3 buckets and the ability to decrypt protected data. This error enabled the attacker to exfiltrate around 30 GB of data, including millions of credit card applications, social security numbers and bank details (IAM Security Misconfigurations). Once the breach was identified, Capital One and AWS took immediate action: revoking the compromised credentials, shutting down the vulnerable instance and notifying the authorities, notably the FBI (AWS Shared Responsibility Model). This incident underlined the importance of strict access controls and reinforced protection against SSRF attacks, which are now better controlled in cloud environments.