This article recounts the author’s journey into ethical hacking after discovering a YouTube video about misconfigured S3 buckets. Inspired to create a tool for efficiently identifying such misconfigurations, the author successfully located sensitive information, leading to a substantial bug bounty reward. Affected: S3 buckets, sensitive data, cybersecurity community
Keypoints :
- The author was inspired by a YouTube video on finding misconfigured S3 buckets.
- Discontent with lab environments, the author sought real-world hacking experiences.
- Developed a tool called S3BucketMisconf to automate the search for publicly accessible S3 buckets.
- Utilized DorkEye to find exposed buckets related to specific targets.
- Discovered a suspicious bucket named “target-public-docs” containing a substantial number of files.
- Automated analysis to filter for sensitive file types like PDFs and CSVs.
- Found and reported sensitive information, including financial statements and personal data.
- Received a significantly higher-than-expected bug bounty of 00 for the report.
- Encouraged others to start small, stay curious, and build useful tools in cybersecurity.
- Invited collaboration and suggestions for improving S3BucketMisconf.