Amazon accidentally left a Prime Video database running for weeks containing a massive amount of display data: security researcher Anurag Sen discovered it, reported it to Amazon, and the issue was resolved within a few hours. Company spokesmen say (and researchers agree) that no sensitive user data is at risk: the records were anonymous and it was impossible to trace a real person. However, the story represents a A high-profile reminder of how easy it is to misconfigure a server – And how severe the consequences are.
In practice, it so happened that the database was not password protected: anyone who knows the IP address of the server can explore it in detail from any smartphone or computer using a trivial web browser. According to researchers, it consists of About 215 million records, which contains information such as the name of the show or movie being streamed, client device, network quality, subscription information (prime member or not?) and more. Ironically, the database was called “Sauron” – a clear reference to the all-seeing eye, a manifestation of the main antagonist of JRR Tolkien’s Lord of the Rings.
according to Take CrunchAccording to the specialized search engine Shodan, the database was registered for the first time as it was displayed on the 30th of last September; So let’s say it It took about a month for the problem to be identified and resolved. Fortunately, no one with less noble intentions seems to have noticed the flaw – and we repeat, even if it did, they wouldn’t be able to do much damage by exploiting it.
The good thing is Amazon was quick to respond for error reports; A spokesperson for the company also wanted to defend AWS, which is the same Amazon cloud infrastructure (AWS = Amazon Web Services) that hosted the database:
An error occurred configuring the Prime Video Analytics server. This issue has been resolved and no account information (including login details or payment information) was disclosed. It wasn’t an AWS problem; AWS is secure by default and works as expected.