Capital One disclosed a breach of ~106 million credit applications — and this one is OUR industry’s breach, cloud-native in every detail, so the file gets specifics: the attacker (a former cloud-industry engineer) exploited a misconfigured WAF via SERVER-SIDE REQUEST FORGERY — tricking the firewall box into calling the cloud metadata service, which cheerfully handed over the IAM ROLE CREDENTIALS attached to the instance, which were scoped broadly enough to list and copy S3 buckets at leisure. Every layer is a lesson: SSRF is the cloud era’s skeleton key BECAUSE the metadata endpoint (169.254.169.254, memorize it like a fire exit) turns “make this server fetch a URL” into “become this server”; over-scoped roles turn one compromised box into an account-wide event (least privilege is boring until it’s the only thing that would have mattered); and detection came not from monitoring but from a TIP — the attacker had discussed the data online. We spent the week auditing our own role scopes and enabling IMDSv2-style protections; found two roles with wildcard S3 access “temporarily” (#101’s Nothing So Permanent clause, security edition).
Also logged, uneasily: Cloudflare dropped 8chan after the El Paso shooting — infrastructure companies as the internet’s reluctant last-resort moderators, a role they keep declaring they don’t want while being the only ones who can play it (#158’s platform-power file grows a grim chapter; “the stack has politics all the way down to DNS”).
TIL: SSRF defense-in-depth — metadata service v2’s session tokens, egress filtering, role-scope minimization. The perimeter isn’t a wall anymore; it’s the sum of every URL your servers can be talked into fetching. The call is coming from inside the VPC.