Viacom cloud config goof exposed Paramount Pictures, Comedy Central, MTV, and more

Firm left secrets access keys available for anybody to view.

David bisson
David Bisson

Viacom cloud config goof exposed Paramount Pictures, Comedy Central, MTV, and more

Carelessness is believed to have exposed access credentials and other critical information assets owned by media giant Viacom Inc, leaving them viewable by anyone with an internet connection.

UpGuard explains that one of its researchers discovered the exposed data on August 30th:

“…Chris Vickery discovered a publicly downloadable Amazon Web Services S3 cloud storage bucket, located at the subdomain ‘mcs-puppet’ and containing seventy-two .tgz files. Vickery noted that each of the .tgz files, an extension often used for compressing backup data, had been created since June 2017 at irregular intervals; on some days, no such files had been created, while on others, five or six had been generated throughout the day.”

Chris Vickery…does that name sound familiar? It should. He’s the same security researcher who came across an online database hosted on a Google Cloud Server that contained 154 million U.S. citizens’ voter records back in June 2016.

Sign up to our free newsletter.
Security news, advice, and tips.

Included in each of the Viacom leak’s 72 .tgz files are folders with names like “keys” and “modules,” which could the mean company configured the cloud storage bucket to act as a data backup.

These folders collectively contain numerous mentions of “MCS,” a likely acronym for “Multiplatform Compute Services” that Viacom uses to support the infrastructure for MTV, Paramount, and its other media-based online properties. They also are home to files indicating Viacom’s use of configuration management software Puppet to set up servers and other IT assets.

UpGuard provides a deeper dive into the information compromised by the leak:

“Exposed within this repository are not only passwords and manifests for Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but perhaps more significantly, Viacom’s access key and secret key for the corporation’s AWS account. By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised. Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner.”

Sep192017 yaml
Example configuration files for Viacom’s wide array of server instances. (Source: UpGuard)

Online criminals could have potentially used any of this information to conduct phishing attacks against Viacom or set up additional servers on the conglomerate’s infrastructure that they could, in turn, enlist into a botnet.

Vickery contacted Viacom on 31 August about the leak. Within hours, the media company had fixed the exposure.

As we all know, this isn’t the first time an unsecured S3 cloud storage bucket has exposed sensitive data, and it’s not the only time that a media conglomerate has suffered a digital security incident.

With that said, it’s important that companies do their due diligence to make sure all their assets, including those that leverage the cloud, are secured. Make sure you read Amazon’s advice on how organizations can secure their S3 buckets.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.