Because I like to play with technology and find its weak/ breaking points (so they can be strengthened), I felt inspired to write about a flaw with Windows Azure which I became aware of during a 3-day course I attended last week.
The website example we looked at during the course was using a Windows Azure cloud service to host and supply webcasts to the public, which doesn’t come free to the site’s owner since according to the current Windows Azure pricing, one would be charged roughly $0.12 per 1 Gb of data downloaded by the site’s end users.
So far, so good; but it turns out this can be abused big time within the current version of Azure, potentially costing the site’s owner serious money.
The example website was using URL re-write for navigation, i.e. when one navigates to the site, no matter which page they go to, the browser shows only the root of domain name and the page names are hidden.
But security wise, this is an easy one to go around; here’s how:
Right click on any link which leads to the site itself, right-click and view properties and copy the URL address. The address will look like this: http://websitename.domain/
Then paste the address in the browser and press Enter; and from now on, all URL paths will show in the browser’s address field.
Once you have the page names, you can go and see what the URLs for the webcasts look like. i.e: http://website.domain/
So, each webcast has its unique id and it can be called by supplying it to the HTTP request. i.e. if you join the string “http://website.domain/
So, how could one mean spirited end user make the site owner’s Windows Azure bill grow big time?
One idea is to stream webcasts multiple times. Let’s suppose a webcast is about 100Mb. This means that streaming 10 webcasts will cost $0.12, 100 will cost $1.20, 1000 will cost $12 and so on. Here’s how one might do that:
By looking at the source code of the webcast page one could see the URL to the webcast itself, which may look like this:
By breaking down this address one can see the following:
-that the Windows Azure storage is used: websitename4storage.blob.core.
-the name of the webcast file: AppFabricACS-
-the time slice this link will be valid for, starting at: st=2012-11-24T09%3A06%3A20Zand ending at: se=2012-11-24T10%3A06%3A20Z
-a digital signature which confirms the validity of the URL, including the time for which the webcast streaming is valid… sig=yx8%
One would also notice that every time one calls the address below, one gets a valid webcast streaming link: http://websitename.domain/
So, to do most damage in the shortest time, one could write a short program which calls the address, parses it and finds the URL to the webcast itself (as shown above) and streams it.
So assuming the files are 100Mb each, and one has enough bandwidth from their ISP, by streaming 100,000 webcasts in one month this will cause the site owner to be charged around $1200. And if one wanted to be really bad, they could stream 1,000,000 webcasts and then the bill would be around $12,000. (These figures are just for the ease of calculation; usually, webcasts are about 30 to 50 Mb each.)
And to top that off, there is no way to put a cap on the cost of a Windows Azure account. Go figure.
What are the chances of this happening? No clue.
And I guess in reality, downloading 10 Tb of data would cost $12,000, and even though it seems unlikely that someone would go and do it, the question is more of a principle, not of a practice. And even if, let’s say, the extra $12,000 bill is spread over 1 year (833Gb per month of extra downloads will cost $99.96), this is still $12,000 too much per year, and it is quite unaccounted for.
But why take the chance?