PhotoSquared app exposed customer photos and shipping labels

Popular photo printing app PhotoSquared has exposed thousands of customer photos, addresses, and orders details.

At least ten thousand shipping labels were stored in a public Amazon Web Services (AWS) storage bucket. There was no password on the bucket, allowing anyone who knew the easy-to-guess web address access to the customer data. All too often, these AWS storage buckets are misconfigured and set to “public” and not “private.”

The exposed data included high-resolution user-uploaded photos and generated shipping labels, dating back to 2016 and was updating by the day. The app has more than 100,000 users, according to its Google Play listing.

It’s not known how long the storage bucket was left open.

One of the customer orders, including photos and the customer’s shipping address. The exposed storage bucket also had thousands of shipping labels. (Image: TechCrunch)

Security researchers provided the name of the exposed bucket to TechCrunch. We matched a number of shipping labels against existing public records, and contacted PhotoSquared on Wednesday to warn of the exposure.

Keith Miller, chief executive of Strategic Factory, which owns Photosquared, confirmed that the data was no longer exposed, but Miller declined to say if it planned to inform customers or regulators under data breach notification laws.

At the time of writing, PhotoSquared has made no reference to the security lapse on its website or its social media accounts.

Octarine releases open source security scanning tools for Kubernetes

 Octarine, a startup that helps automate security of Kubernetes workloads, released an open source scanning tool today. The tool, which is called Kube -scan, is designed to help developers understand the level of security risk in their Kubernetes clusters.

The company is also open sourcing a second tool called The Kubernetes Common Configuration Scoring System or KCCSS for short, which is the underlying configuration framework used in Kube-scan.

As Ocatrine’s head of product Julien Sobrier points out, there are 30 security settings in Kubernetes and Kube-scan can help you see where you might be vulnerable on any one of them, measured on a scale of 0-10, with 10 being extremely vulnerable.

“Kubernetes gives a lot of flexibility and a lot of power to developers. There are over 30 security settings, and understanding how they interact with each other, which settings make security worse, which one make it better, and the impact of each selection is not something that’s easy to measure or explain,” Sobrier told TechCrunch.

Octarine wants to help with these two open source tools. It started by building KCCSS, a vulnerability model based on the industry standard Common Vulnerability Scoring System (CVSS), to provide a risk assessment framework for Kube-scan.

“We’ve taken this model of CVSS and applied into Kubernetes. This helps explain to users, what are the security settings that are causing risk? What is the danger to the workload in terms of availability of the cluster, integrity of the cluster and confidentiality of the cluster,” Sobrier explained. This gives developers and operations a common system for understanding of the security posture of the cluster, and makes it easier for them to decide whether the risk is acceptable or not.

Kube-scan result. Screenshot: Octarine (cropped)

They have then taken the KCCSS framework and built Kube-scan. This takes the settings as defined in KCCSS and applies a score, which measure the level of risk for each setting in the Kubernetes cluster you run it on. “Kube-scan is basically an implementation of the KCCSS framework. So it’s software, a container, that will run on your cluster and show you the risk of all the [settings] on a scale from zero, not risky to 10, highly risky, and then give you all the details about what the grade is and the possible remediation that you that you can put in place,” he said.

While it obviously could work hand-in-glove with Octarine’s own security tools, Rafael Feitelberg, VP of commercialization, says the project has been more about helping companies see their Kubernetes cluster risk level, and giving them information to fix the problems it finds.”A lot of these things can be remediated by adjusting the Kubernetes configuration, and you can explicitly see see how you can remediate [the problem] in Kube-scan,” he said.

Feitelberg says that Octarine is something separate, designed to help you automate your security settings. “Our commercial product is more about the automation of the process, of doing this continuously, so it’s part of your CI/CD [pipeline] and your DevOps process,” he said.

Both of the open source tools are available today on GitHub.

AWS announces EKS on Fargate is available

Today at AWS re:Invent in Las Vegas, the company announced that Elastic Kubernetes Service is available on Fargate.

EKS is Amazon’s flavor of Kubernetes. Fargate is a service announced in 2017 that enables you to launch containerized applications without worrying about the underlying infrastructure.

“Starting today, you can start using Amazon Elastic Kubernetes Service to run Kubernetes pods on AWS Fargate. Amazon EKS and Fargate make it straightforward to run Kubernetes-based applications on AWS by removing the need to provision and manage infrastructure for pods,” the company wrote in a blog post announcing the new feature.

Pods are simply a group of containers you launch on the same Kubernetes cluster. If you think about the fact that Kubernetes enables you to launch these pods in an automated fashion, it makes sense to also provision the underlying infrastructure required to run those pods in an automated fashion.

“With AWS Fargate, you pay only for the amount of vCPU and memory resources that your pod needs to run. This includes the resources the pod requests in addition to a small amount of memory needed to run Kubernetes components alongside the pod. Pods running on Fargate follow the existing pricing model,” the company wrote in the blog.

That means developers won’t have to worry about over provisioning because Fargate should run the exact number of resources needed to run that pod at any given moment and no more.

This feature is available starting today in US East (N. Virginia), US East (Ohio), Europe (Ireland), and Asia Pacific (Tokyo).