TL;DR: Uploading a specially crafted image (Lottapixel.jpg) throws an error that exposes AWS credentials from Asana!

First of all I’m a skid! Most of the tools I use to find bugs aren’t made by me! But I keep a good archive of those tools!

Nowadays almost every site allows an user to upload an avatar and history shows that image upload is an awesome point to attack! The Image Tragick is the most known case of a large scale vulnerability using an image as a vector! So when I’m researching for security vulnerabilities I always try to upload a set of special crafted images that I’ve been collecting for a while!

One of my favourites is the lottapixel.jpg! A little image that I found in a 3 year old report on HackerOne! I’ve seen different behaviours on applications where I’ve uploaded this image! In some it goes without problems, in other cases it just throws a 500 error, in some it causes a small denial of service. I even saw a proxy closing the request after a few minutes! But in this case the application thows a 400 error with a verbose output!

I immediately recognized that that access key and secret key were from!

They were something like this:

AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

And they are Access Keys from AWS! I didn’t try to use them but they were probably the keys to access to S3 bucket were Asana keep this kind of assets!

Wisely, Asana keeps a Bounty Program for responsible disclosure and I reported this problem to them! After confirmation they award me a $500 bounty for this vulnerability!

Vulnerability Disclosure Timeline: