Security Now 1071: Bucketsquatting

Date: March 25, 2026
Host: Micah Sargent (filling in for Leo Laporte)
Co-host/Guest: Steve Gibson
Theme: The hidden dangers of “bucket squatting” in Amazon S3 (and cloud storage) global namespaces, plus analysis of a major H&R Block security misstep, breathalyzer calibration failures post-attack, invasive tracking pixels, critical Cisco/Ubiquiti vulnerabilities, new Firefox VPN, security news, and listener questions.

Episode Overview

This episode dives deep into critical security mistakes in widely-used tech, focusing on "bucket squatting": a supply chain attack vector created when abandoned S3 bucket names are recycled. Steve Gibson unpacks an alarming security flaw in H&R Block's tax software and explains both the technical failure and how it might be done securely. Other stories include a breathalyzer company crippled by a ransomware attack, the insidious scope of tracking pixels, the dangers of wallet phishing, several high-profile CVEs, and finally, how Amazon is (belatedly) fixing its bucket-naming policy.

Tone: Analytical, slightly incredulous, and heavily focused on practical lessons and technical details—classic Gibson style, with Micah’s enthusiastic curiosity.

Main Topics & Key Insights

1. Incident Review: H&R Block's Dangerous Root Certificate Installation

[09:13-43:52]

• Summary: H&R Block's Business 2025 tax software installs a root CA (certificate authority) in the Windows Trusted Root Store—with the private key included in a DLL. The certificate is unbranded, valid until 2049, and remains after uninstall. This allows trivial MITM (Man-in-the-Middle) attacks and malware signing for 23 years.

• Key Details:

  • Listener Jack Christiansen first tipped off Steve. Researcher Yifan Lu found/exposed the flaw, posted a PSA on Y Combinator, and provided demo/test URLs.
  • Using the extracted private key, anyone could mint MITM certificates or code-signing certificates, trusted by every affected user.
  • Gibson:

    "Doing that on H&R Block's part is the height of hubris and irresponsibility." ([15:14])

  • H&R Block, when responsibly disclosed to, brushed it off as "out of scope" and admitted they already knew about it ("internal security assessments").

• Implications:

  • All users who ever installed are vulnerable to seamless spoofing, phishing, or malware until 2049.
  • The vulnerability persists after the software is removed—“the world's most potent ‘backdoor’” in a tax app.

• Why Did H&R Block Do It?

  • Possibly to run a local browser-based web UI with HTTPS (using a local root CA). Steve argues even then, shipping the CA private key is inexcusable; a short-lived, generated keypair per install erases the risk.
  • Proposed Secure Fix:
    • On first run, generate a unique root and server cert—never ship a private key, delete the root CA private key immediately after use, set tight expiration, and uninstall afterward ([47:00-54:00]).
    • "That private key is never written to nonvolatile storage. So it is now permanently gone." ([52:02])

2. Intoxalock: Ransomware Halts Breathalyzer-Calibrated Vehicles

[58:10-65:55]

• Summary: Intoxalock's central calibration system was knocked out for 10+ days by a probable ransomware attack, leaving users locked out of their cars across several states due to enforced calibration policies.
• Sensitive Data: Driver IDs, legal status, drinking habits, etc., may have been exfiltrated—creating "extra private and extra sensitive" blackmail risk.
• Lesson(s):
  • Cyber incidents now impact the physical world.
  • "It's not the sort of data anyone wish to have floating around the Internet. I would argue, you know it makes a Social Security number look tame by comparison." ([62:32])

3. Firefox 149: Free Built-In VPN Launch

[65:55-70:56]

• Summary: Firefox 149 introduces a free, monthly-capped (50GB) built-in VPN—initially for US, France, Germany, and UK users, aiming to attract privacy-aware users amid dipping browser market share.

4. (Not-So) Innocent Tracking Pixels: Meta and TikTok Go Far Beyond Analytics

[73:14-90:02]

• Summary:
  • Security researchers at Jscrambler found that TikTok and Meta's pixels (JavaScript snippets embedded by many retailer/hospitality/healthcare sites) are now actively collecting full personal info (emails, phone numbers, addresses), shopping data (cart details, checkout info, payment partials), often before consent is even processed; sometimes data is sent in plaintext within URLs.
  • Hashing does not anonymize the data due to deterministic hashing.
• Steve’s Take:

  "If you might be thinking that none of this is any of Meta's effing business, I would agree with you wholeheartedly. It is so wrong and intrusive. They do it simply because they can." ([81:53])

5. Global Messaging Bans: Russia’s Business Backlash

[90:05-91:10]

• Russian businesses are imploring the government to lift bans on Telegram and WhatsApp as they're critical to international commerce.

6. Crypto Wallet Phishing via Open Claw Scams

[91:10-93:24]

• GitHub users are being lured to connect wallets via phishing scams that drain funds. Steve is sympathetic but notes, "You sometimes need an object lesson..." ([93:24])

7. Zero-Day Epidemics: Critical Cisco and Ubiquiti Vulnerabilities

[93:24-101:59]

• Cisco:

  • Two recent CVSS 10.0 auth-bypass flaws in Secure Firewall and SDWAN. Exploited as zero-days (Interlock ransomware), with a >5-week window before disclosure/patch.
  • Amazon Threat Intelligence detailed how attackers used deserialization flaws for root-level code execution, managed to backtrace the entire ransomware infrastructure.
  • Key takeaway: "Even if patched, you could be owned due to a zero-day you didn't know." Layers of security—defense in depth—are essential ([109:40-114:23]).

• Ubiquiti:

  • Similar CVSS 10.0 flaw in Unifi gateway products—patching advised.

Listener Feedback & Notable Quotes

[116:13-128:27]

• On fading skills (clocks, cursive, programming):

  "With advances in AI, it seems clear that [coding] too will cease. Why bother when you can have AI bang out apps in minutes?"
  — Vern Mastel ([116:34])

• On phishing via “ClickFix” attacks:
  • Example of IRS “office examination” scam that instructs the target to run a PowerShell command sent in a letter, not a link.

  "This latest trend of click fix to me is truly frightening... more than half of all exploits combined are now attributable to this single category." ([124:38])

• On cloud signing vs. local HSM code signing certificates:

  "I think old school physical security is a little better than allowing, you know, foreign attackers from states we don't trust, free roam and access trying to impersonate us and get our code signed." ([124:53])

• On coding as craft:

  "I'd much rather make my own lures... than cheat myself out of the joy of coding." ([126:07])

Deep Dive: Bucket Squatting (Main Feature)

[131:25-163:07]

What is "Bucket Squatting"?

• The act of registering a previously abandoned (deleted) S3 bucket name—often used by automated software, systems, or devices that will continue to check for resources at that address.
• Offenders can then respond to millions of automated requests for updates/binaries/configs with malware, backdoors, or siphon sensitive data.

Watchtower Labs' Research

• Registered ~150 abandoned S3 buckets known to be previously used by government, military, businesses, and open source projects.
• Monitored 8 million access attempts in two months—many looking for updates, binaries, configs, and more.
• “Had we been maliciously inclined, we could have responded to each of these 8 million requests with something malicious...” ([137:48])

Notable quote:

"This is not the result of a bug. This was the result of a fundamentally poor system design. Amazon should never have allowed bucket names to be recycled and reused." ([151:10])

• All S3 bucket names—globally unique, flat namespace—were first-come, first-served, then released when deleted for any reuse.
• Names are often “cute”/predictable/brand-linked, making targeting easier ("grc", "acme-enterprises-archive-2024", etc.).

Implications:

• Legacy devices/software may indefinitely seek resources at an old bucket address—forever vulnerable if the name is re-claimed by an attacker.

Amazon’s (Delayed) Fix

• As of March 2026 ("last Thursday"), Amazon introduces regional account namespaces for S3 buckets.
  • Buckets can now include a suffix unique to the account and region; these are protected from cloning.
  • "If another account tries to create buckets using this account suffix... requests will be automatically rejected." ([154:47])
• Policy is opt-in, only applies to newly created buckets; retrospective bucket squatting remains possible on legacy buckets.
• Google and Azure have long protected bucket name reuse.

Other Notable Moments

• Steve’s "Windows codebase as rat's nest of wires" analogy, tying into the theme of software cruft, technical debt, and the dangers of decades of accreted design. ([10:38])
• Discussion of defense-in-depth as the only viable way to handle zero-days and perimeter compromise ([114:23]; [109:40])
• Light discussion at the end on the creativity involved in uncovering “what could possibly go wrong?” ([163:21])

Timestamps for Important Segments

• H&R Block Root CA Flaw/Demo: [09:13–43:52]
• How H&R Block should have done it: [46:13–54:00]
• Intoxalock Ransomware Breach: [58:10–65:55]
• Firefox 149 Built-in VPN: [65:55–70:56]
• Meta & TikTok Tracking Pixel Overreach: [73:14–90:02]
• Cisco/Ubiquiti CVEs and Interlock Zero-Day: [93:24–114:23]
• Listener Feedback: [116:13–128:27]
• Bucket Squatting (Main Deep Dive): [131:25–163:07]

Memorable Quotes

"Doing that on H&R Block’s part is the height of hubris and irresponsibility."
—Steve Gibson ([15:14])

"That private key is never written to nonvolatile storage. So it is now permanently gone."
—Steve Gibson, on best practices ([52:02])

"It's so wrong and intrusive. They do it simply because they can."
—Steve Gibson, on tracking pixels ([81:53])

"This is not the result of a bug. This was the result of a fundamentally poor system design."
—Steve Gibson, on bucket squatting ([151:10])

Final Words

• Security is more than patching—robust policy, design, and least privilege matter.
• Software and systems must assume that what’s built today will be left, repurposed, or forgotten tomorrow—don’t leave open keys, don’t re-issue names, and don’t trust any “default harmlessness.”
• Bucket squatting is the latest cautionary tale: design with the end in mind, not just the start.

For full insights or references, consult the episode’s transcript or show notes at twit.tv/shows/security-now.