When looking at the API console for the AppFlow API model, we stumbled upon a definition of the AppFlow service called sandstoneconfigurationservicelambda.
This vulnerability allowed anyone to steal secrets managed by AppFlow in any AWS account.
It is made possible by using an undocumented field awsOwnedManagedAppCredentialsArn during connector registration and connector updates. We believe it was made for managed OAuth apps (we only found the SharePoint connector making use of it).
Preconditions
We needed to know the Secret ARN of the victim’s secret. (see note below)
The victim secret ARN belonged to a connection profile which is of the type OAuth or contains clientId and clientSecret.
SSRF using redirects
This confirmed that we could make arbitrary GET requests to any URL from the WooCommerce connector.
Summary (give a brief description of the issue)
Undocumented API allowed reading partial secrets
SSRF using redirects
References (provide links to blogposts, etc.)
https://ronin.ae/news/amazon-appflow-vulnerabilities/