Karma police, arrest this sysadmin. Security researchers have discovered the website belonging to iconic British miserablists, Radiohead, has been leaking every single IP address to have visited it between 2011 and 2013.
— Bob Diachenko (@MayhemDayOne) January 31, 2018
The flaw was discovered by Cologne-based infosec firm, Kromtech Security. According to Bob Diamchenko, the firm’s Head of Communications, the logs are still available on an unprotected Amazon S3 bucket. There’s more than 14 gigabytes worth in total.
As leaks go, this one’s pretty tepid, and doesn’t contain anything earth-shatteringly dangerous, like usernames and passwords. It contains the user’s IP address, the time it accessed the site, the server response, the GET query, and browser information.
According to Diamchenko, some of the GET queries could prove helpful for those looking for sensitive information. He sent me a redacted GET query containing a link to what appears to be a secure login to a website.
217.33.XXX.XXX – – [09/Dec/2013:10:43:50 +0000] “GET //inc/jquerymobile/jquery.mobile-1.3.2.min.js HTTP/1.1” 200 145396 “https://secure.XXXXX.com/login” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36”
Diamchenko has cause to be a paranoid android. Many of the most high-profile data leaks we’ve seen over the past few years have been a product of individuals uploading sensitive information to Amazon S3 buckets that are improperly secured.
In October of 2017, MacKeeper searchers discovered open S3 buckets containing the personal information of over 1,000 NFL players and their agents, the details of three million WWE fans, and the blood test records of over 150,000 Americans. Hackers managed to access these with no alarms and no surprises.
The issue is so common, MacKeeper has even released a tool that helps sysadmins identify weak links in their S3 bucket setups. Sadly, nobody told the notoriously tech-savy band, who released their album In Rainbows on Bittorrent back in 2007.
We reached out to Radiohead’s PR agency for comment. If we hear back from them, we’ll let you know.