- Severity
- Critical · CVSS 9.1
- Target
- European B2B SaaS Company
- Date
- 2026-02
- Category
- S3 Misconfiguration / Supply Chain Risk
Publicly Listable S3 Bucket: Desktop App Executables & Auto-Update Configs
The S3 bucket hosting the company's desktop application was publicly listable without authentication, exposing production and beta installers, unsigned executables, and auto-update configuration files. If write access was also misconfigured, an attacker could push malicious updates to all users.
Attack Chain
Step 1: S3 bucket listable without authentication
Full object listing returned dozens of files including executables and configs.
Step 2: Auto-update config exposed with integrity hashes
The update manifest contained version info, download paths, and SHA hashes used by the auto-update mechanism.
Step 3: Unsigned executables in beta directory
A beta directory contained executables that bypass code signing verification.
What Scanners Would Miss
S3 scanners check for public access. They don't understand that a listable bucket containing auto-update configs is a supply chain attack waiting to happen.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.