The more recent discovered issue affects Amazon Web Services’ (AWS) Application Load Balancer (ALB) and is a matter of concern to the cyber-security team. Dubbed “ALBeast” by cybersecurity firm Miggo, the flaw puts as many as 15,000 of the applications that employ ALB for authentication at the risk of being controlled and accessed by attackers.
It exposes the possibility of creating a new ALB instance with desired authentication configuration, owing to which an exposure like this makes it possible to craft an authentic token. This forged token enables the attacker to get direct access to the target application ignoring its authentications and authorisation processes. The danger is, of course, highest for applications which are directly accessible via the internet – this exploit can be run at the target application fairly simply.
At first, AWS intended ALB in order to perform authentication operations for applications, to work in conjunction with various application services such as Amazon Cognito ID, as well as to support multiple identities. Unfortunately, the ALBeast vulnerability takes the Trojan outside this security feature, thus exposing a major weakness in the ways ALB instances are set up.
In April 2024, they released it responsibly, along with a response from AWS: they amended the authentication guide and suggested that developers check the signer field in the JSON Web Tokens (JWTs) to confirm they come from trustworthy ALB instances. Also, AWS suggested that the traffic to the security groups should only originate from the trusted ALB source to help avoid exploitation.
This occurrence highlights that cloud areas are continuously becoming more complicated and than securing them as organizations shift to services such as AWS. As has been demonstrated by the ALBeast vulnerability, configuration and monitoring should not be a one-time event, thus the first lesson learned is never assume that the cloud-based applications are safe from new threats.