What is s3.amazonaws.com, and why is Chrome blocking it?

  • Lately, whenever I click on a download link in Google Chrome, it redirects to another link starting with s3.amazonaws.com, which in turn gets blocked either by Chrome or by my Antivirus (Comodo Internet Security). Copying the same link into Firefox or(*) a download manager downloads the file normally.

    I have tried resetting Chrome settings, disconnecting my Google account, removing all extensions, disabling all plugins, and performing a system scan, but the issue persists.

    My question is: What exactly is s3.amazonaws.com? Is it malicious, or is Chrome mistrusting it? And how do I fix the issue?


    An example file that invokes such behavior is Pandoc msi setup from this page

    (*) It no longer works with Firefox

    @thexacre clicking the link you posted leads me directly to this one: https://s3.amazonaws.com/github-cloud/releases/571770/ee4e642e-87e0-11e4-864a-9f8485371008.msi?response-content-disposition=attachment%3B%20filename%3Dpandoc-1.13.2-windows.msi&;response-content-type=application/octet-stream&AWSAccessKeyId=AKIAISTNZFOVBIJMK3TQ&Expires=1428195561&Signature=67TuZKsrJ4kw3V7xDFxkhtW7KZw%3D which is blocked by my browser

    My mistake, you're right. The link is on a GitHub domain but it 302 redirects to an S3 domain. You might want to a. post this on the Pandoc issue tracker https://github.com/jgm/pandoc/issues and b. ask for a checksum of the packages so you can confirm the ones you downloaded haven't been tampered with.

    For me the md5sum of pandoc-1.13.2-windows.msi is d368d072a2b84c72f1ed863db96d7826. I didn't have any trouble downloading it but I'm on Ubuntu and I don't have Comodo.

    @thexacre Mine is returning a different value. f40cb166d8f915afa9df978c014cc94d

    It looks like you used 1.13.1 but mine was for 1.13.2. I downloaded 1.13.1 and got f40cb166d8f915afa9df978c014cc94d the same as you.

    @thexacre I just noticed that too. My bad. 1.13.2 matches with your previous result d368d072a2b84c72f1ed863db96d7826. Does this mean my browser and antivirus are giving false alerts?

    It might just be a false positive, but I'd encourage you to raise this issue on their issue tracker just in case. I myself have been involved with a fairly large open source project who were the the victim of targeted attacks to both compromise our GitHub accounts and tamper with our download packages. It can happen.

  • thexacre

    thexacre Correct answer

    6 years ago

    s3.amazonaws.com is an endpoint for a cloud file storage product offered by Amazon Web Services (AWS) and is used by many websites and apps (albeit usually behind the scenes, but you can serve files from it directly too).

    Seeing references to that domain is definitely not inherently malicious, however given that you can store just about any file in S3 there's no guarantee that it isn't being used to store some malicious files (among the overwhelmingly legitimate files). AWS credentials are a valuable target for hackers so it's possible the owner of the account has been compromised.

    Chrome and Comodo may know that attributes such as the size, checksum, name, etc. of the file match that of known malware which is why they're blocking it (rather than necessarily because it's served from s3.amazonaws.com).

    I'd recommend reporting it via the AWS abuse form or by emailing [email protected]. If it is malware then they'll most likely remove it and contact the account owner. AWS is usually extremely proactive about security issues.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM