• deegeese@sopuli.xyz
    link
    fedilink
    arrow-up
    106
    ·
    6 months ago

    “By design” AWS bills project owners for unauthorized calls to the public S3 API.

    So what I’m reading from this is you can do a billing attack on anything hosted in AWS so long as you know one of their bucket names.

    • bamboo@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      49
      ·
      6 months ago

      Seriously, now that this is more widely known, it’ll for sure be taken advantage of a lot, to the point AWS will begrudgingly protect their customers once the damage is done.

  • wpuckering@lm.williampuckering.com
    link
    fedilink
    arrow-up
    87
    ·
    edit-2
    6 months ago

    You shouldn’t be charged for unauthorized requests to your buckets. Currently if you know any person’s bucket name, which is easily discoverable if you know what you’re doing, that means you can maliciously rack up their bill just to hurt them financially by spamming it with anonymous requests.

  • AmbiguousProps@lemmy.today
    link
    fedilink
    English
    arrow-up
    48
    ·
    6 months ago

    As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used… the same name that I used for my bucket.

    • LostXOR@fedia.io
      link
      fedilink
      arrow-up
      30
      ·
      6 months ago

      It’s completely insane that the tool would attempt to connect to a nonexistent bucket for backups by default instead of just… having them disabled completely?

  • sensiblepuffin@lemmy.world
    link
    fedilink
    arrow-up
    39
    arrow-down
    1
    ·
    6 months ago

    AWS was kind enough to cancel my S3 bill. However, they emphasized that this was done as an exception.

    Dicks.

    • atzanteol@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      It’s fine if you dislike a site. But the correct thing to do is not consume their content, not to work around it.

      • borari@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        Medium is the journalistic version of the gig economy apps, mixed with a bit of digital landlording. The correct thing to do here is to bypass any of Mediums paywalls you might run in to.

    • onlinepersona@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      I woke up yesterday morning and felt a little bit hazy. My feet tingled a little and that was an indication of what was going to happen. My podometric senses were tingling! Hahaha, get it? So anyway, after having a light breakfast and sitting down in front of my desk to check my emails, one in particular stood out. Being in a hurry however, I left for work and…

      Article written like this are reason for me to stop reading. So annoying. This article is a breath of fresh air.

      Anti Commercial-AI license

    • 30p87@feddit.de
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      6 months ago

      Chilling with nothing but my homeserver here. Backed up to the NAS, mirrored to my grandparents house. No charges, no misconfigurations, just Arch testing being more stable than any commercial service I know lol