A cross-tenant vulnerability in Amazon Web Services (AWS) could have allowed attackers to abuse AWS AppSync to gain access to resources in an organization’s account.
According to cloud security firm Datadog Security Labs, an attacker could use the AWS AppSync service to take on identity and access management (IAM) roles in other AWS accounts and access the resources in those accounts. With the help of the AppSync service, programmers can build GraphQL and Pub/Sub APIs, each of which has a corresponding data source, as well as directly call AWS APIs to integrate their applications with AWS services. This requires the creation of roles with IAM permissions.
Since it enables a less-privileged entity (the attacker) to deceive a more-privileged entity (AppSync) into carrying out specific actions on its behalf, the discovered vulnerability is known as the “confused deputy problem.”