Don’t show S3 keys in source code / someone else could access the entire bucket

  • Resolved markussss

    (@markussss)


    11 months, 1 week ago

    I noticed some plugins show and some don’t show passwords and API keys in the page source code. Updraft unfortunately shows the keys.

    Let’s say you have an S3 storage that accesses one bucket. Other client projects (websites) are uploaded to the same bucket. They might have a different key, but not all storage provider allow separation by access keys. It’s all in the bucket.

    A client who can access Updraft, is able to access the keys. They are not visible in Updraft → Settings → S3, but they are visible if you just look at the source code of that page.

    Basically that means, the client will get all access codes to the entire bucket, which is a huge security and privacy issue actually.

    Other plugins don’t show the keys in the source code, but Updraft does, and I hope there is a way around this.

    <input class="updraft_input--wide udc-wd-600" data-updraft_settings_test="secretkey" type="password" autocomplete="off" id="updraft_s3generic_secretkey_s-1234567890" name="updraft_s3generic[settings][s-1234567890][secretkey]" value="1234567890">

    Edit: just tested it.

    You can get FULL ACCESS to the bucket. I understand this might work differently for each S3 storage provider

    • This topic was modified 11 months, 1 week ago by markussss.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support vupdraft

    (@vupdraft)

    Which s3 storage provider are you using?

    Thread Starter markussss

    (@markussss)

    idrive e2 in that particular case, but I doubt it’s related to S3 storage provider. You show the keys pretty much in plain text in the code, and others don’t do that exactly for that particular reason – so it’s not related to the provider

    there providers that come with policies as well for a more granular setting, however not all allow that, per default you can just access the entire bucket

    Plugin Support pbevanudp

    (@pbevanudp)

    Hello,

    I would recommend avoiding using the same bucket for different sites that do not belong to the same company and to add further security measures by encrypting database backups with an encryption phrase.

    Thread Starter markussss

    (@markussss)

    I don’t think it’s the usual way of working, usually one would try to have as few buckets at possible.

    I showed the security issue that updraft supports here now (WPvivid for instance is not showing the keys), I can’t do more about it. Fingers crossed that it’ll be taken seriously by updraft

    Plugin Author David Anderson

    (@davidanderson)

    Hiding credentials on the settings page achieves nothing; anyone with access to backups of the site can just read them out of the site database instead. (Indeed, if they’re a site admin who can access UpdraftPlus, then they can do it many other ways too). If you chose to rely on that for your clients’ security, then your clients would be at risk.

    To secure an Amazon S3 setup properly, follow this guide – https://updraftplus.com/faqs/what-settings-should-i-use-for-amazon-s3-and-how-should-i-configure-my-amazon-s3-account#maxsecurity – and do not re-use credentials across sites. IAM policies allow you to use a single S3 bucket for multiple users without any of those users having access to someone else’s backups. S3-compatible providers who do not provide any equivalent solution are not suitable for storing multiple clients’ data in in a single bucket, assuming that you want actual security and not just the outward appearance of it sufficient to fool a client with limited knowledge.

    The above guide shows the steps in Amazon’s S3 console for creating a secure setup. The paid version of UpdraftPlus contains a helpful wizard to automate this if you prefer.

    Thread Starter markussss

    (@markussss)

    You are of course right .. as soon as WordPress can be fully accessed as admin there would be ways. Unfortunately not every storage provider comes with the same comprehensive features as AWS S3. In fact, the complexity of S3 turned off initially even – but there are many factors that come into play when looking for a storage provider

    I’ll see if I can separate it by using different buckets if my current storage provider is not offering a dedicated feature for it

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Don’t show S3 keys in source code / someone else could access the entire bucket’ is closed to new replies.