Breaking this down, several of AWS's core repos like the JS SDK use an allowlist of which contributor ids can run workflow actions in their PRs. The list was a regex, contained several short ids, and wasn't anchored with ^$, so if it allowed user 12345, then any userid containing 12345 could run their own actions on the PR, including one that exfiltrated access tokens. So they spammed GH with user creation requests, got an id that matched, and they were in like Flynn.

Said tokens didn't have admin access, but had enough privileges to invite other users to become full admins. Not sure if they were rotated, but github tokens are usually long-lived, like up to a year. Hey, isn't AWS the one always lecturing us to use temporary credentials? To be fair, AWS did more than just fix the regex, they introduced an "approve workflow run" UI unto the PR process that I think GH is also using now (not sure about that).

> To escalate privileges, we abused the token’s repo scope, which can manage repository collaborators, and invited our own GitHub user to be a repository administrator.

From everything I know about pentesting, they should have stopped before doing this, right? From https://hackerone.com/aws_vdp?type=team :

> You may only interact with accounts you own or with explicit written permission from AWS or the account owner

I worked on docs at GitHub which are open source, synced to an internal repo, and deployed on internal infra. I recall jumping through many hoops to make it work safely. These were workflows that had secrets access for deployments, and I recall zipping files, doing some weird handoffs/file filtering between different workflows based on the triggers and permissions. Security folks were really quick to find any gaps =)

Glad to see a few more security knobs on actions these days!

I always wondered if their decision to limit availability of CodeCommit had something to do with the overall quality of the underlying implementation. It always came off as an "also ran" product without any real care or effort put into it. Either that or the team responsible for creating it ultimately left the company.. anyways..

This article lends some credibility to that notion.

How did they create so many GitHub accounts? I used login with GitHub in the past to prevent spam but I feel like, after hearing this, I need to check for something like account age to prevent spam.

I try to avoid regexes like the plague, it is right up there with passing stuff into SQL strings. It is tempting enough to be used but it always goes wrong, no matter how good your sanitation. Even if the original author gets it right sooner or later someone will tweak the regex just a little to allow some edgecase and accidentally open the door to a whole pile of other cases. It's just too finicky and too powerful.

Oh no, is the AWS Console ok?

happens to the best of us