2018-12-21

Responsible disclosure: Emtrain - open AWS S3 buckets

Emtrain (emtrain.com), provider of HR and business compliance trainings, has owned two production AWS S3 buckets that were set to public read/write access. The buckets contained live content served to users.

The affected buckets, s3://website_production and s3://course_creation_production were publicly readable and writable (anyone could read and write content to the buckets unauthenticated) between at least the dates of 2018-06-11 and 2018-12-03. The buckets are no longer public read/write as of 2018-12-21.

The affected buckets served over 10GB of production resources including course content (materials, quizzes, etc.) and live website data (such as jquery). The size and content of the affected resources suggest that the majority of Emtrain's course and website data was stored in the affected buckets.

The buckets were publicly writable, therefore it was possible for an attacker to inject malicious code in both course content (such as interactive courses and downloadable files) and web pages served to users.

Because publicly-writable website content constitutes a high risk to users (such as breach of credentials and exposure of personally identifiable information), responsible public disclosure is warranted.

=== Timeline ===

2018-06-11: Arya discovers vulnerability
2018-06-11: Arya contacts Emtrain asking for best way to report vulnerability
2018-06-11: Emtrain responds
2018-06-11: Arya reports vulnerability through the indicated channel
2018-06-12: Emtrain confirms that the report was received by the appropriate team
2018-12-03: Arya performs a routine verification of vulnerability; vulnerability is still present
2018-12-03: Arya re-submits report to Emtrain, escalates report to senior management, and sets public disclosure timeline to 18 days due to the severity of the issue; Arya notifies Emtrain about intended disclosure timeline and indicates that timeline is flexible
2018-12-03: Emtrain VP of Engineering confirms receipt of report
2018-12-07: Arya bumps the issue, reiterates disclosure timeline, and offers coordinated disclosure; no response
2018-12-14: Arya bumps the issue, reiterates disclosure timeline, and asks if there are any issues with disclosure timeline; no response
2018-12-21: Arya performs a routine verification of vulnerability in preparation for public disclosure; vulnerability is not present
2018-12-21: Public disclosure