Many Amazon S3 cloud storage users are exposing sensitive company secrets, claims report

Filed Under: Data loss, Featured, Security threats, Vulnerability

Leaky bucket. Image from ShutterstockApproximately one in six buckets Amazon S3 storage buckets (of the 12,328 identified) are leaking sensitive data and company secrets, claims a new report.

Amazon Simple Storage Service (S3) is a web services interface for storing and retrieving static data from Amazon's cloud that gives developers a way to store and access, for example, server backups, company documents, web logs, and publicly visible content, including images and PDFs.

Such content is organized into "buckets", accessible at predictable URLs.

Here's the type of bucket information to which any interested party (or e-scumbag prone to network attack or black market vending) has free and open access if users have set the buckets to public access, according to Rapid7 Senior Security Consultant Will Vandevanter:

  • Personal photos from a medium-sized social media service
  • Sales records and account information for a large car dealership
  • Affiliate tracking data, click-through rates, and account information for an ad company’s clients
  • Employee personal information and member lists across various spreadsheets
  • Unprotected database backups containing site data and encrypted passwords
  • Video game source code and development tools for a mobile gaming firm
  • PHP source code including configuration files, which contain usernames and passwords
  • Sales “battlecards” for a large software vendor

Rapid7 Senior Security Consultant Will Vandevanter

Those are just some of the materials that Vandevanter, assisted by HD Moore and inspired by Robin Wood, gathered from 1,951 buckets they found open to public scrutiny.

The sheer number of files made it unrealistic to test the permissions of every single object, so a random sampling was taken instead. All told, we reviewed over 40,000 publicly visible files, many of which contained sensitive data.

Roughly, that's about one in six buckets that have been "left open for the perusal of anyone that's interested," he says.

Defining the security risks, Vandevanter says, is a no-brainer:

A list of files and the files themselves - if available for download - can reveal sensitive information. The worst case scenario is that a bucket has been marked as 'public', exposes a list of sensitive files, and no access controls have been placed on those files.

In situations where the bucket is public, but the files are locked down, sensitive information can still be exposed through the file names themselves, such as the names of customers or how frequently a particular application is backed up.

This isn't Amazon's fault, mind you. Amazon S3 buckets' default setting is private. Buckets set to "public" will list all files and directories to anybody who asks.

By default, buckets will have one of two predictable, publicly accessible URLs, Vandevanter says.

Using the two URL syntaxes he provides, users will either be denied access by a private bucket, or they'll be peering into the first 1,000 objects stored in a public bucket.

As for remedies, this one is straightforward, Vandevanter writes: "Check your buckets. If they're open, determine whether the content is something you don't mind exposing."

If your content should be kept private, check out Amazon's tutorial on how to lock it down.

Unfortunately, making a bucket private now doesn't extend to bucket versions stored away in Google indexing.

Time machine. Image from Shutterstock

Vandevanter recommends the Internet WayBackMachine to find previously open buckets. Also, he used a modified version of @mubix’s Metasploit module to find "a few hundred" currently private buckets that were previously open.

Here are Amazon's instructions on how to manage access control lists for objects in buckets.

Amazon, clearly, isn't at fault, as Vandevanter points out. The company has set the buckets to private by default, and it's published plenty of resources to instruct users on how to keep data safe.

A spirited discussion on Slashdot questions a) whether Vandevanter is vulnerable to prosecution over the classic security technique of testing doorknobs to see which are open and b) whether this is news at all, rather than a case of RTFM (Caution: Link may be NSFW).

In my opinion, a) let's hope not; enough already with the overzealous prosecutions of hackers a la Weev and Schwartz, et al. and b) that sounds about right.

Will Vandevanter whiteboard image courtesy of Rapid7.
Leaky bucket and time machine images from Shutterstock.

, , , , , , ,

You might like

One Response to Many Amazon S3 cloud storage users are exposing sensitive company secrets, claims report

  1. anon · 925 days ago

    I don't mean to be snarky, but why would you make readers visit a nsfw page for an explanation of why this isn't news when you could type it?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.