Severity
Critical · CVSS 9.1
Target
European B2B SaaS Company
Date
2026-02
Category
S3 Misconfiguration / Supply Chain Risk

Publicly Listable S3 Bucket: Desktop App Executables & Auto-Update Configs

The S3 bucket hosting the company's desktop application was publicly listable without authentication, exposing production and beta installers, unsigned executables, and auto-update configuration files. If write access was also misconfigured, an attacker could push malicious updates to all users.

Attack Chain

    Step 1: S3 bucket listable without authentication

    Full object listing returned dozens of files including executables and configs.

    Step 2: Auto-update config exposed with integrity hashes

    The update manifest contained version info, download paths, and SHA hashes used by the auto-update mechanism.

    Step 3: Unsigned executables in beta directory

    A beta directory contained executables that bypass code signing verification.

What Scanners Would Miss

S3 scanners check for public access. They don't understand that a listable bucket containing auto-update configs is a supply chain attack waiting to happen.

By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.