Aggregator

Gretchen saw this line in the front-end code for their website and freaked out:

let bucket = new AWS.S3({ params: { Bucket: 'initech-logos' } });

This appeared to be creating an object to interact with an Amazon S3 bucket on the client side. Which implied that tokens for interacting with S3 were available to anyone with a web browser.

Fortunately, Gretchen quickly realized that this line was commented out. They were not hosting publicly available admin credentials on their website anymore.

.comment { border: none; }

They used to, however, and the comments in the code made this a bit more clear:

// inside an angular component: uploadImage(): void { const uniqueName = `${this.utils.generateUUID()}_${this.encrDecSrvc.getObject(AppConstants.companyID)}_${this.file.name}` /*; @note: Disable usage of aws credential, transfer flow to the backend. @note; @disable-aws-credential */ /*; AWS.config.region = 'us-east-1' let bucket = new AWS.S3({ params: { Bucket: 'initech-billinglogos' } }); */ const bucket = ( AWSBucketMask ); const params = { Bucket: 'initech-logos', Key: 'userprofilepic/' + uniqueName, ACL: "public-read", Body: this.file }; const self = this; bucket.upload( params, function (err, data) { if (err) { console.log("error while saving file on s3 server", err); return; } self.isImageUrl = true; self.imageUrl = data.Location; self.myProfileForm.controls['ProfilePic'].setValue(self.imageUrl); self.encrDecSrvc.addObject(AppConstants.imageUrl, self.imageUrl); self.initechAPISrvc.fireImageView(true); self.saveProfileData(); self.fileUpload.clear() }, self.APISrvc ); }

Boy, this makes me wonder what that AWSBucketMask object is, and what its upload function does.

export class AWSBucketMask { public static async upload( option, callback, service ){ const fileReader = new FileReader( ); fileReader.onloadend = ( ( ) => { const dataURI = ( `${ fileReader.result }` ); const [ entityType, mimeType, baseType, data ] = ( dataURI.split( /[\:\;\,]/ ) ); option.ContentEncoding = baseType; option.ContentType = mimeType; option.Body = data; service.awsBucketMaskUpload( option ) .subscribe( function( responseData ){ callback( null, responseData.data ); }, function( error ){ callback( error ); } ); } ); fileReader.readAsDataURL( option.Body ); } public static async deleteObject( option, callback, service ){ service.awsBucketMaskDeleteObject( option ) .subscribe( function( responseData ){ callback( null, responseData ); }, function( error ){ callback( error ); } ); } public static async deleteObjects( option, callback, service ){ service.awsBucketMaskDeleteObjects( option ) .subscribe( function( responseData ){ callback( null, responseData ); }, function( error ){ callback( error ); } ); } public static async getSignedUrl( namespace, option, callback, service ){ service.awsBucketMaskGetSignedUrl( namespace, option ) .subscribe( function( responseData ){ callback(null, responseData.data); }, function( error ){ callback( error ); } ); } }

The important thing to notice here is that each of the methods here invokes a web service service.awsBucketMaskUpload, for example. Given that nothing actually checks their return values and it's all handled through callback hell, this is a clear example of async pollution- methods being marked async without understanding what async is supposed to do.

But that's not the real WTF. You may notice that these calls back to the webservice are pretty thin. You see, here's the problem: originally, they just bundled the S3 into the client-side, so the client-side code could do basically anything it wanted to in S3. Adding a service to "mask" that behavior would have potentially meant doing a lot of refactoring, so instead they made the service just a dumb proxy. Anything you want to do on S3, the service does for you. It does no authentication. It does no authorization. It runs with the admin keys, so if you can imagine a request you want to send it, you can send it that request. But at least the client doesn't have access to the admin keys any more.

This is an accounting application, so some of the things stored in S3 are confidential financial information.

Gretchen writes:

We have to take cybersecurity courses every 3 months, but it seems like this has no effect on the capabilities of my fellow coworkers.

You can lead a programmer to education, but you can't make them think.

[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

SanDisk aims to produce petabyte-scale SSDs through its new UltraQLC platform, though the company has not specified a release timeline. The technology, it said, combines SanDisk's BICS 8 QLC 3D NAND with a proprietary 64-channel controller featuring hardware accelerators that offload storage functions from firmware to reduce latency and improve reliability. The initial UltraQLC drives will use 2Tb NAND chips to reach 128TB capacities, with future iterations targeting 256TB, 512TB, and eventually 1PB as higher-density NAND becomes available. The controller dynamically adjusts power based on workload and employs an advanced bus multiplexer to handle increased data loads from high-density QLC stacks, the company said.

Read more of this story at Slashdot.

LIVE UPDATES: A Delta plane crash-landed at Toronto's Pearson international airport on Monday injuring at least eight people.

Patrick Schwarzenegger is reveling in the social media frenzy surrounding his jaw-dropping debut on The White Lotus. Patrick, clearly enjoying the buzz, gleefully reshared several tweets.

A new move by New Zealand to attract Aussie tourists has led to mockery on both sides of the ditch.

Penguin Emperor's weekly State Of The Kernel post went astray

Next time autocomplete takes over and you accidentally send an email to the wrong person or group, perhaps it will be a little solace to know that one of the world’s most accomplished technologists – Linux kernel boss Linus Torvalds – just made that same mistake.…

Bosses have said they are aware of the works needed at the Tube station

Caroline Kennedy is expected to meet with President Trump regarding his dramatic overhaul of the Kennedy Center for Performing Arts, DailyMail.com has learned. 

Devices containing crypto wallets tracked online, then in the real world

Indian authorities seize loot from BitConnect crypto-Ponzi scheme Devices containing crypto wallets tracked online, then in the real world India’s Directorate of Enforcement has found and seized over $200 million of loot it says are the proceeds of the BitConnect crypto-fraud scheme.…

JEMIMA CAINER: The Sun enters Pisces today while the Moon moves into Scorpio. This intensely emotional energy is disrupted a little by Venus making a minor aspect to Uranus.

IAN HERBERT: It was the casual way Arne Slot threw out Mohamed Salah's name in the Anfield press conference room early on Sunday evening which screamed his significance.

Inhaling the bacteria could produce symptoms like abdominal cramps, nausea, diarrhoea, and vomiting. But there is one thing you can do in the bathroom to stop these nasty effects.

Their performances have earned them a reputation as one of the most authentic and exhilarating Muse tribute acts.

A family from Mersea are appearing in George Clarke’s Building Home programme after a “fascinating journey” into the history of their property.

They flocked to the town for its affordability and quietness - but it's the 'friendly' community that really stands out

The 24-year-old Bloodhounds star was discovered lifeless by a friend who visited the Seoul home and called police, local media reports.

The Universal Pictures 'mythic action epic shooting across the world using brand new IMAX film technology' is already scheduled to hit IMAX theaters on July 17, 2026

NAND flash prices are expected to slide due to oversupply, forcing memory chipmakers to cut production to match lower-than-expected orders from PC and smartphone manufacturers. From a report: The superabundance of stock is putting a financial strain on suppliers of NAND flash, according to TrendForce, which says growth rate forecasts are being revised down from 30 percent to 10-15 percent for 2025. "NAND flash manufacturers have adopted more decisive production cuts, scaling back full-year output to curb bit supply growth. These measures are designed to swiftly alleviate market imbalances and lay the groundwork for a price recovery," TrendForce stated. Shrish Pant, Gartner director analyst and technology product leader, expects NAND flash pricing to remain weak for the first half of 2025, though he projects higher bit shipments for SSDs in the second half due to continuing AI server demand. "Vendors are currently working tirelessly to discipline supply, which will lead to prices recovering in the second half of 2025. Long term, AI demand will continue to drive the demand for higher-capacity/better-performance SSDs," Pant said. Commenting on the seasonal nature of the memory market, Pant told The Register: "Buying patterns will mean that NAND flash prices will remain cyclical depending on hyperscalers' buying behavior."

Read more of this story at Slashdot.

He is due to appear in court as he faces one charge of penetrative sexual activity with a girl aged between 13 and 15.

Isla Fisher has returned to her home country to film her new movie Spa Weekend on the Gold Coast amid her $120 million divorce from ex-husband Sacha Baron Cohen.