How I was able to takeover s3 bucket of a trading site

Assalamualaikum to all. My name is Imran Huda. I’m from bangladesh.I’m a student and I have been doing bug bounty for almost two years . I just crossed 20 in september. A little introduction was needed as it’s my first writeup.

Today I will share a story how i was able to find a s3 bucket takeover on a trading and investment site. This is not new or not a interesting one but i thought to share it to the community. The site is private on Hackerone so will call it https://private.com . The site only had the main domain in scope and lots of hacker’s was in thanks page. For that i was not thinking to find anything easily.

(To all of my muslim friends Boycott French Products)

The unclaimed bucket :

To find s3 bucket on webpages I have been using a Firefox Add-on called “S3 Bucket List by Alec Blance” you can find it here .I was surfing https://private.com and saw that I have captured some s3 bucket on my Add-on . One of the bucket caught my attention as i was seeing “NoSuchBucket”

And a smile on my face

The bucket may have been accidently deleted or they have forgotten to remove from the site. The bucket had a image file “blahblah.png” and it was “https://theoneiwaslookingfor.s3.amazonaws.com/blahblah.png”

I created the bucket and uploaded a png file with the same name “blahblah.png”. After that when anyone visits the page they will see my uploaded content on the page

are you guessing the program :0

Then I wrote a sweet little report.It was triaged and rewarded within a day.

Almost a year

Check my Hackerone and Bugcrowd profile.

You can contact me in Twitter.

Thats all. Thanks for reading and be safe.