In 2016, a researcher found that a2.bime.io had a CNAME record pointing to bimeio.s3.amazonaws.com . The bucket bimeio did not exist. It was not owned by Bime. It was not owned by anyone. The researcher created the bucket in their own AWS account. a2.bime.io was now serving their content β under Bime's domain, with Bime's SSL certificate, trusted by Bime's users. This is HackerOne #121461 . The fix was either claiming the bucket name or deleting the CNAME. Either takes under a minute. The window between bucket deleted and researcher claimed it was measured in days. Why This Attack Requires Nothing S3 bucket names are globally unique across all AWS accounts. When a bucket is deleted, the name becomes available to any AWS account immediately. If a DNS CNAME still points to that bucket's S3 endpoint, whoever registers the name first controls what the DNS record resolves to.β¦
