## How One Cloud Misconfiguration + SSRF Cost $80 Million In 2019, Capital One suffered one of the largest financial data breaches in US history. The attacker: a former AWS engineer. The method: **SSRF against the cloud metadata service**. Capital One ran a web application firewall (WAF) on AWS. The WAF had a misconfigured permission that allowed it to make outbound HTTP requests. The attacker sent a specially crafted request that caused the WAF to fetch: `http://169.254.169.254/latest/meta-data/iam/security-credentials/` That IP — 169.254.169.254 — is the AWS instance metadata service. It's only reachable from inside the cloud instance itself. Normal users on the internet can't touch it. But the server-side WAF could. The metadata endpoint handed back **temporary AWS credentials** with admin-level permissions. With those credentials, the attacker downloaded 106 million customer records: names, Social Security numbers, credit scores, bank account numbers. **Total cost: $80 million in fines plus $190 million in settlements.** --- ### Why SSRF Is So Dangerous in the Cloud Every major cloud provider has a metadata endpoint reachable via SSRF: | Provider | Metadata URL | |---|---| | AWS | `http://169.254.169.254/latest/meta-data/` | | Google Cloud | `http://metadata.google.internal/` | | Azure | `http://169.254.169.254/metadata/instance` | If an app running in the cloud can be tricked into fetching these URLs, the attacker receives cloud credentials, instance details, and sometimes user data — all from a single request. This is why SSRF jumped to the OWASP Top 10 in 2021 (it wasn't even on the list before). Cloud adoption made it catastrophic.