Invocation of Process Using Visible Sensitive Information in papercups-io/papercups

Valid
Reported on May 17th 2021

💥 BUG

open s3 bucket allow to read anyone file

💥 IMPACT

Anyuser can download anyone uploaded file . Also user may update or delete any uploaded file in s3 bucket (not tested).
AWS offer command line to manipulate s3 bucket bellow

aws s3 ls s3://mybucket -->to list all file
aws s3 cp myfolder s3://mybucket/myfolder --recursive --->copy all file
aws s3 rm s3://mybucket/test2.txt -->to remove

check more https://aws.amazon.com/cli/
https://docs.aws.amazon.com/cli/latest/reference/s3/rm.html\

💥 AFFECTED s3 bucket

https://papercups-files.s3.amazonaws.com/

💥 STEP TO REPRODUCE

  1. From your account upload a file and see its uploaded to s3 bucket . now you can read any user uploaded file

💥 VIDEO

https://drive.google.com/file/d/1sqQ5J_4bnWXD_9TPAM66WOit9yWvgil_/view?usp=drivesdk