Oh, c’mon…
Story here from Network World.
Frankly, XML Signature-Wrapping and XSS don’t represent “massive security flaws in cloud architectures.”
They represent unfortunate vulnerabilities in authentication mechanism and web app security, but “cloud architecture?”
These vulnerabilities were also fixed. Quickly.
Further, while the attack vector will continue to play an important role when using Cloud (publicly) as a delivery model (that is, APIs,) this story is being over played.
Will this/could this/is this type of vulnerability pervasive? Certainly there are opportunities for abuse of Internet-facing APIs and authentication schemes, especially given the reliance on vulnerable protocols and security models?
Perhaps.
Is it scary?
Yes.
See: Cloudifornication and Cloudinomicon.
Related articles
- Researchers demo cloud security issue with Amazon AWS hijacking attack (infoworld.com)
- Shared security flaws of cloud computing (ritcyberselfdefense.wordpress.com)
- Hackers could have taken over AWS (theregister.co.uk)
As with any article, it is written to stir up controversy. The more controversy the more interest. Have they overdone it? Maybe. Is it out of the ordinary? No