Viacom logo
Vital login passwords belonging to Viacom were left exposed in a public-facing database. Kopiersperre/Wikimedia Commons

Security researchers recently discovered an unsecured Amazon server that contained critical login credentials and configuration files for servers and platforms operated by media giant Viacom.

The exposed Amazon Web Services cloud storage bucket contained information that if stolen, could provide malicious actors with direct access to vital digital infrastructure maintained by the massive media conglomerate.

The exposure was first discovered on Aug. 30 by Chris Vickery, the director of cyber risk researcher at cyber resiliency firm UpGuard. The database was still being regularly updated at the time of its discovery, likely with backup files of vital data.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

Vickery informed Viacom of the unsecure storage bucket on Aug. 31, and the company secured the repository within hours. While the speedy response time is encouraging, it doesn’t cover for the fact the information was readily available to anyone who found the database prior to Viacom securing it.

During that unknown period of exposure prior to its discovery, any person could have accessed the database if they knew or found the direct URL it was hosted at. The database was public-facing and the files within could be downloaded by just about anyone.

That could spell trouble for Viacom, as the server appeared to contain a significant amount of information about the company’s internal information technology infrastructure—something that is penetrated by a malicious source could grant access to do a significant amount of damage to the company.

According to UpGuard, the repository contained login credentials—including passwords—and manifests for Viacom servers that are used to maintain and build upon the corporation’s IT infrastructure.

The database also contained an access key and secret key for Viacom’s AWS account, which could be used to compromise the company’s entire cloud presence by gaining unauthorized access to company servers, storage and other vital databases.

The cloud storage bucket was identified by a subdomain named “mcs-puppet,” which is believed to make reference to the company’s Multiplatform Compute Services—a group that “supports the infrastructure of hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount and BET,” according to a job listing.

“Puppet” refers to a commonly used IT configuration tool that allows enterprises to create up new servers and quickly scale their operations.

UpGuard explained the importance of Puppet and the exposed credentials thusly:

“In order to ensure these servers fit any necessary internal specifications, a Puppet manifest is created, providing instructions for provisioning a server of the type and are able to access all other relevant systems—which means the ‘puppetmaster’ usually needs to know all of the relevant access credentials. Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket.”

Viacom is far from the first to fall victim to an unsecured cloud storage database. Similar exposures have plagued everyone from other mega-corporations like Verizon to military contractors and even the WWE.

In a statement provided to International Business Times, a spokesperson for Verizon said, "Once Viacom became aware that information on a server -- including technical information, but no employee or customer information -- was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact."