Field Note · Blog

Disclosure in Action: I Wasn’t Looking for a Cloud Secret

Day one of the disclosure arc: an accidental find in a public Android APK build. Notes from before there was a "finding" to act on.

Disclosure in Action March 18, 2026 – CompleteTech LLC

Field Note 01 – Accidental Finding

I wasn't looking for a cloud secret.

I started with the machine, not AWS. I owned the hardware, disliked the software experience, and wanted to understand enough of the vending stack to reason about integration points, device behavior, and what I might replace.

The finding came from normal reverse-engineering work on software attached to equipment I owned. I was trying to understand how the Android vending-machine APK behaved and how it interacted with the rest of the system.

That is an important distinction for me. I was not hunting for someone else's cloud account. I was trying to map a machine I was operating. The credential surfaced while I was reading the application package and following what the code appeared to do.

The moment a long-term AWS IAM credential pair appeared in application constants, the task changed. This was no longer just operational research. It became evidence that needed to be handled carefully.

Starting pointA vending machine I owned, an Android APK, and a practical need to understand the system.
What changedStatic code review showed a credential-looking value embedded directly in the application.
First boundaryI treated the observation as sensitive immediately and avoided any live cloud interaction.

The first lesson is not technical. It is posture: when a normal engineering investigation exposes a secret, stop treating it like trivia and start treating it like disclosure material.

CompleteTech LLC – Innovation at Every Integration Public disclosure series – 2026