‹ All episodes

Cloud Out Loud Podcast

Episode 9 - The GiveSendGo Leak

May 01, 2022 Jon and Logan Gallagher
Episode 9 - The GiveSendGo Leak
Cloud Out Loud Podcast
More Info
Cloud Out Loud Podcast
Episode 9 - The GiveSendGo Leak
May 01, 2022
Jon and Logan Gallagher

The GiveSendGo Data Leak


Episode 09: Show Notes


As you are probably aware, earlier this year, a convoy of truckers was making the news for protesting COVID mandates and vaccinations in Canada. Part of the convoy was raising money through GoFundMe to support these protests. After they were shut down by the site, they moved their fundraising efforts to the religious-based fundraising site: GiveSendGo. It wasn’t long before a security researcher examined the site’s code and stumbled upon most or all of the major files and private data that were being used by the website, all publicly accessible on the internet. Today we discuss how this mistake was made, what S3 buckets are supposed to be used for, and how the website’s HTML source has been updated since the vulnerability was discovered. To discover the dangers of not reorienting your mentality to optimizing for the cloud, to learn more about the set of skills we need to have when engaging with the cloud, and to hear our best practices to help you ensure that you never make a mistake like this, tune in today!


Key Points From This Episode:


  • How the fund to support the protesting truckers came to be established on GiveSendGo.
  • What caused the data leak and how it was discovered.
  • The point of S3 buckets.
  • Why S3 buckets should not be used as storage buckets.
  • Why this information shouldn’t just be in separate buckets but in separate accounts too.
  • Speculation about how this mistake came to be made. 
  • The need for different classes of users using a website.
  • What Logan discovered when he looked at the website’s HTML source code today and how it has been updated since the vulnerability was discovered.
  • The danger of not reorienting your mentality to optimizing for the cloud. 
  • The role of CloudFront in protecting information.
  • The need for a culture and a new set of skills we have to have when engaging with the cloud. 
  • How the GiveSendGo developers were notified about this problem a long time ago.
  • The need for code reviews and the entire crew to understand the architecture.
  • A breakdown of the best practices to ensure that this doesn’t happen to you.
  • The importance of understanding what your business’s purpose is and the responsibilities and obligations entailed in the data you collect.


Tweetables:


“Understand what your business purpose is: what data are you collecting, what data are you storing, what data are you retrieving, what obligations does that data impose upon you?” — Jon Gallagher [0:26:19]


“Think of some of these cloud tools as chainsaws: They’re incredibly powerful but you need to be safe with them. You can get a lot done with them if you are trained to use it and if it’s in the right hands” — Logan Gallagher [0:28:49]

Links Mentioned in Today’s Episode:

GiveSendGo 

Amazon CloudFront 

“Incentivized Developers Make Better Security” 

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Apple Podcasts Spotify Overcast Stitcher Castro Castbox +
Show Notes

The GiveSendGo Data Leak


Episode 09: Show Notes


As you are probably aware, earlier this year, a convoy of truckers was making the news for protesting COVID mandates and vaccinations in Canada. Part of the convoy was raising money through GoFundMe to support these protests. After they were shut down by the site, they moved their fundraising efforts to the religious-based fundraising site: GiveSendGo. It wasn’t long before a security researcher examined the site’s code and stumbled upon most or all of the major files and private data that were being used by the website, all publicly accessible on the internet. Today we discuss how this mistake was made, what S3 buckets are supposed to be used for, and how the website’s HTML source has been updated since the vulnerability was discovered. To discover the dangers of not reorienting your mentality to optimizing for the cloud, to learn more about the set of skills we need to have when engaging with the cloud, and to hear our best practices to help you ensure that you never make a mistake like this, tune in today!


Key Points From This Episode:


  • How the fund to support the protesting truckers came to be established on GiveSendGo.
  • What caused the data leak and how it was discovered.
  • The point of S3 buckets.
  • Why S3 buckets should not be used as storage buckets.
  • Why this information shouldn’t just be in separate buckets but in separate accounts too.
  • Speculation about how this mistake came to be made. 
  • The need for different classes of users using a website.
  • What Logan discovered when he looked at the website’s HTML source code today and how it has been updated since the vulnerability was discovered.
  • The danger of not reorienting your mentality to optimizing for the cloud. 
  • The role of CloudFront in protecting information.
  • The need for a culture and a new set of skills we have to have when engaging with the cloud. 
  • How the GiveSendGo developers were notified about this problem a long time ago.
  • The need for code reviews and the entire crew to understand the architecture.
  • A breakdown of the best practices to ensure that this doesn’t happen to you.
  • The importance of understanding what your business’s purpose is and the responsibilities and obligations entailed in the data you collect.


Tweetables:


“Understand what your business purpose is: what data are you collecting, what data are you storing, what data are you retrieving, what obligations does that data impose upon you?” — Jon Gallagher [0:26:19]


“Think of some of these cloud tools as chainsaws: They’re incredibly powerful but you need to be safe with them. You can get a lot done with them if you are trained to use it and if it’s in the right hands” — Logan Gallagher [0:28:49]

Links Mentioned in Today’s Episode:

GiveSendGo 

Amazon CloudFront 

“Incentivized Developers Make Better Security” 

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn