AWS patch the 28c3 hash vulnerability

January the 3rd. and 9th. I posted two short messages to the AWS mailing list, asking whether AWS was susceptible to this attack (video). I got no answer, but from looking at the hash function used, I was pretty sure AWS was just as vulnerable as all the other web technologies. This was confirmed at the January open Ada-DK meeting, where we spent some time checking out the code.

Things were also stirring at the #ada Freenode IRC channel, and january the 17th. Marcelo Freitas put together a test, and actually found 46656 hash collisions simply by bruteforcing the Ada.Strings.Hash function, which is what AWS used at the time.

Those 46656 collision were enough to keep one core running at 100% for 3 minutes, using a simple “Hello World” AWS server.

Marcelo sent his findings to the AWS developers, and shortly thereafter these fixes were pushed to the AWS Git repository:

The power of Open Source software is amazing. This fix went in the same day Marcelo had reported the issue. That is just plain awesome.

AWS now ranks proudly among the few web technologies where this problem has been fixed.

Leave a Reply