Auths Gone Wild: When ‘Authenticated’ Means Anyone
Danielle Aminov, Yaara Shriki
Cloud Village @ DEF CON 33 · Day 1 · Cloud Village
In the rapidly expanding landscape of cloud computing, organizations increasingly rely on cloud service providers (CSPs) like AWS, GCP, and Azure to store their most sensitive data—from customer PII to proprietary secrets. Ensuring the privacy and security of this data is paramount, yet a pervasive and often misunderstood misconfiguration leaves vast amounts of information silently exposed. The talk "Auths Gone Wild: When ‘Authenticated’ Means Anyone," presented by Whiz threat researchers Danielle Aminov and Yaara Shriki, delves into this critical issue, revealing how resources believed to be private are, in fact, publicly accessible to any authenticated user within a given CSP.
AI review
Competent, well-structured research on a real misconfiguration class that traditional scanners miss — but this is a Cloud Village talk, not a Black Hat main stage slot, and it fits that tier exactly. The core finding (authenticated != private, and scanners only test anon) is genuine and the empirical data from 60k buckets gives it teeth, but the underlying concept isn't new to anyone who's spent serious time in cloud IAM. The `authentikit` tool is a useful artifact, but it's a relatively thin implementation of a two-step scan.