Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

A new paper has revealed what its authors call “alarming” vulnerabilities in controls over Amazon’s cloud service, but the problems were fixed before anyone could exploit them in real life. If they hadn’t been addressed, the weaknesses could have allowed hackers to sidestep cryptographic protections and reprogram or delete customers’ virtual computers and steal their data, the researchers say.

The paper—titled “All Your Clouds Are Belong to Us,” a play on a decade-old Internet meme—was produced by several researchers based at Ruhr University in Germany. It showed flaws in the client controls of Amazon’s Elastic Compute Cloud (EC2) service, which is used by a growing number of large Web companies including Foursquare and Yelp, government agencies including the National Renewable Energy Lab, media companies such as the Washington Post, and academic institutions such as the University of Barcelona and the University of Melbourne.

The principal hack described involves a messaging system that companies use to do things like create and delete virtual computers as needed. The researchers were able to change those messages in a way that Amazon’s cryptographic authentication systems failed to detect. And Amazon’s service would have executed the malicious instructions along with the proper ones. The approach exploited a specific kind of vulnerability first reported by IBM researchers in 2005.

The effects were potentially devastating. “One eavesdropped message—or a message gained another way—was enough to get control over the whole user’s cloud,” says Juraj Somorovsky, one of the researchers involved in the study. “Cloud interfaces are generally a prominent attack target. If an attacker compromises a cloud interface, he could misuse its vulnerabilities to get control over users’ data.” Users’ computations could also be manipulated, he adds.

Kay Kinton, an Amazon spokeswoman, said in an e-mail statement that “the potential vulnerabilities reported by researchers […] have been corrected and no customers have been impacted.” She also disputed that data would have been at risk, saying that the process Amazon uses to store customer data would not have allowed even the researchers to see and expose passwords or other information.

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Business, security, cloud computing, hackers, crime

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me