One-Packet Disaster: Capital One and the Cloud Unlocked by SSRF
What Happened?
In 2019, Capital One, one of the largest banks in the USA, suffered one of the biggest cloud-based data breaches in history. Approximately 106 million customers’ personal information was compromised by unauthorized individuals. The leaked data included customer names, dates of birth, email addresses, phone numbers, credit score information, bank account numbers, and social security numbers. The breach caused a major stir due to the leakage of sensitive financial data, primarily from credit card applications.
A large portion of the compromised data was collected through Capital One’s credit card application system. This system was hosted on AWS, and the security of sensitive user data depended on Capital One’s WAF (Web Application Firewall) configuration and IAM setup.
How Did It Happen?
The person behind the attack was Paige Thompson, a former software engineer who had previously worked at Amazon Web Services (AWS). Thompson discovered an SSRF (Server-Side Request Forgery) vulnerability in Capital One’s AWS infrastructure’s Web Application Firewall (WAF) component. Through this vulnerability, the attacker gained access to the EC2 instance’s meta-data service and obtained temporary security credentials (access key and secret key) belonging to that server’s IAM role. The IAM role had access permissions to S3 data buckets.
With these credentials, Thompson was able to list Capital One’s S3 buckets and download those she had authorization for. The data was approximately 30 GB in size and included records in both structured (JSON, CSV) and semi-structured (log files) formats. An important detail was that most of this data was unencrypted. This meant anyone with IAM authority could view the data as is.
Thompson uploaded some of the acquired data to GitHub and proudly shared this information on various IRC channels. Fortunately, a white-hat security researcher noticed these files and reported the incident to Capital One. Capital One was forced to publicly disclose the incident shortly thereafter.
What Were the Consequences?
Following the announcement of the incident, Capital One faced pressure from both the public and regulatory bodies. Although the company made a public statement within a short period of 10 days, it was revealed that the security vulnerability had existed for a long time and had not been noticed before.
As a result, the following consequences occurred:
- The U.S. Office of the Comptroller of the Currency (OCC) imposed an $80 million fine.
- A total of approximately 106 million customer data records were breached.
- Free credit monitoring services were offered to affected individuals.
- Internal cybersecurity policies were reviewed.
- The incident served as a serious warning to all other major banks and financial companies operating on AWS.
- Thompson was tried and convicted for “unauthorized computer access,” “fraud,” and “data theft.”
What Measures Could Have Been Taken?
The Capital One case contains numerous lessons. The following measures are critical for organizations operating on AWS:
- IMDSv2 Usage: The meta-data service on EC2 instances is a weak point against SSRF attacks. After this incident, AWS introduced a more secure access method called IMDSv2. This structure should have been enforced on all EC2 instances.
- Least Privilege Principle: IAM roles should be granted only the necessary permissions, especially restricting data read/write authorizations. The WAF component having broad permissions such as database access posed a significant security risk.
- Penetration Tests and Vulnerability Scans: Especially internet-facing components (WAF, API gateway, etc.) should be regularly tested and controlled with third-party penetration tests.
- Encryption: Data should have been encrypted on S3. AWS supports encryption of data both at-rest and in-transit.
- Logging and Monitoring: All IAM movements and data accesses should have been logged using tools like AWS CloudTrail and GuardDuty, and automatic alarm systems should have been triggered in abnormal situations.
- Security Culture: After this incident, Capital One began to treat cybersecurity not just as a technical unit’s job but as part of the entire organizational structure. It became clear that a security culture needed to be spread to all employees.