Security in the cloud has a very fuzzy look and feel and when it comes to data storage there are some holes that can leak data.
That is because a security researcher at Rapid 7 found ways a company’s documents could leak out on Amazon’s S3 (Simple Storage System).
Companies found that using Amazon’s S3 gives them expandable storage on Amazon’s cloud and use it for backup, document storage or for the backend capacity for a number of web services. This storage is organized into buckets marked public or private and can have a simple URL such as http://s3.amazonaws.com/bucketname or http://bucketname.s2.amazonaws.com/.
The researcher decided to build on previous research, which used a bucket finder tool which made use of just a word list to figure out bucket names and gather a wider sample. He was able to find 12,328 buckets either using dictionaries or permutations of Fortune 1000 company names and Alexa’s top 100,000 sites to create the names, extracting S3 requests from HTTP traffic or using Bing’s search API, with most coming from extracted S3 requests thanks to the critical.io project. Of those, 10,377 were private and 1,951 were marked as public but in those 1,951 public buckets were 126 billion files.
Although some of the S3 buckets correctly ended up set to public, analysis of a 40,000 file sample from the discovered public buckets revealed much sensitive data. The researchers found sales records and account information for a car dealership, an ad company’s client records for tracking click through rates, spreadsheets with personal employee information, database backups, video game source code and tools, PHP source code with usernames and passwords and sales “battlecards” for a large software vendor. There were also personal photos from a number of social media sites.
The Rapid 7 researchers recommend that anyone who uses Amazon S3 as storage platform go and immediately check they have correctly set the access on their buckets.
Amazon has a guide to the options available. According to the researchers, the Amazon AWS team warned users about the risks and are currently putting in measures to try and proactively identify misconfiguration of buckets.