Security researcher Aaron Phillips worked with cybersecurity professionals at SEGA Europe to protect sensitive files that were mistakenly stored in a publicly accessible Amazon Webs Services (AWS) S3 bucket. On closer inspection, internal cloud security settings were found to be inadequate, which could have exposed visitors and employees of SEGA domains to digital threats such as malware and ransomware.
The joint efforts of the security researchers ensured that no harm was done and that SEGA was able to take its security measures to the next level. Potential vulnerabilities have now been patched and people are no longer at increased risk when visiting the websites and forums of their favourite SEGA games.
In the case of such vulnerabilities, information and knowledge sharing is crucial. Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users. In addition, it is much more desirable for a vulnerability to be discovered and shared responsibly by a security researcher than by a hacker with criminal intentions.
There were several sets AWS keys found in the affected Amazon bucket, with which it was possible scripts run and upload files to domains of SEGA Europe. This made the websites of several popular games and SEGA’s CDN (Content Delivery Network) services susceptible to malware distribution.
The researchers also managed to get hold of several API keys, which allowed further privileged escalation. With these extended rights, the team had direct access to several SEGA Europe cloud services. The researchers also found valid API keys for Mailchimp and Steam, allowing them to use these services on behalf of SEGA.
SEGA also stores user data of some 250,000 users of the community forum of SEGA’s Football Manager game in Amazon buckets. It is crucial that this data is kept carefully and securely. There is no indication that malicious parties have accessed the sensitive data or exploited any of the vulnerabilities.
SEGA Europe cloud security vulnerabilities
During the investigation, the researchers were able to gain access to the following parts of SEGA Europe:
ACCESS IMPACT Steam developer key Average Database password and RSA keys Seriously