How to Detect and Exploit Cloud Access Key (AK/SK) Leaks

Introduction

Cloud platforms are essential for reducing enterprise resource costs, but the widespread use of access credentials (AK/SK) creates a common vulnerability: cloud host key leakage, which allows attackers to hijack cloud servers and access or delete sensitive data.

0x01 Vulnerability Overview

Cloud hosts authenticate requests using Access Key Id (AK) and Secret Access Key (SK). AK identifies the user, while SK is a secret used for symmetric encryption of the authentication string. The server regenerates the string with the stored SK and compares it to the one supplied by the client; a match grants the requested permissions.

0x02 Common Leakage Scenarios

Error pages or debug information exposing keys.

Searches on GitHub, FOFA, etc.

Configuration files on web servers.

JavaScript files containing credentials.

Source code leaks (e.g., APK or mini‑program decompilation).

File upload/download endpoints that return files containing keys.

HeapDump files that capture in‑memory objects.

0x03 Practical Examples

Case 1: AK/SK leakage in a HeapDump file

A HeapDump is a JVM memory snapshot that can contain sensitive objects such as access keys. Using tools like RouteVulScan (https://github.com/F6JO/RouteVulScan) and heapdump_tool (https://github.com/wyzxxz/heapdump_tool), an attacker can download a heapdump, extract it, and search globally for AK/SK strings.

Case 2: JavaScript file key leakage

Tools such as trufflehog can scan JavaScript files for embedded AK/SK values. Running the tool against a target site reveals any leaked credentials in the findings.

Case 3: Mini‑program upload endpoints

Intercepting requests when a user uploads an avatar in a mini‑program can expose accessKeyId and accessKeySecret in the traffic, allowing credential theft.

Case 4: Configuration files (e.g., Nacos)

Backend configuration pages of services like Nacos may inadvertently display AK/SK values.

0x04 Exploitation

1. Bucket takeover with AK/SK

Using tools such as Alibaba Cloud OSS Browser or Tencent Cloud COS Browser, an attacker can import the leaked keys, gain full control of the storage bucket, and perform read, write, delete, and upload operations.

2. Command execution on compromised hosts

The cf framework (https://github.com/teamssix/cf) can enumerate permissions associated with the leaked AK/SK and execute commands on the target cloud instance, e.g., cf tencent cvm exec -c whoami. Additional tools such as aliyun-accesskey-Tools (https://github.com/mrknow001/aliyun-accesskey-Tools) support similar operations on Alibaba Cloud.