Using a combination of relatively low-tech techniques and tools, security researchers have discovered that they can access the contents of one in six Amazon Simple Storage Service (S3) buckets. Those contents range from sales records and personal employee information to source code and unprotected database backups. Much of the data could be used to stage a network attack, to compromise users accounts, or to sell on the black market.
All told, researchers managed to discover and explore nearly 2,000 buckets from which they gathered a list of more than 126 billion files. They reviewed over 40,000 publicly visible files, many of which contained sensitive information, according to Rapid 7 Senior Security Consultant Will Vandevanter.
"The security risk from a public bucket is simple. A list of files and the files themselves -- if available for download -- can reveal sensitive information," wrote Vandevanter in a blog post titled "There's a Hole in 1,951 Amazon S3 Buckets." "The worst-case scenario is that a bucket has been marked as 'public' exposes a list of sensitive files, and no access controls have been placed on those files."
"This is important to understand and emphasize," he stressed. "A public bucket will list all of its files and directories to any user that asks."
The root of the problem isn't a security hole in Amazon's storage cloud, according to Vandevanter. Rather, he credited Amazon S3 account holders who have failed to set their buckets to private -- or to put it more bluntly, organizations that have embraced the cloud without fully understanding it. The fact that all S3 buckets have predictable, publically accessible URLs doesn't help, though.
Just because a file is listed in a bucket doesn't mean it can be downloaded, he noted; buckets and objects have their own access control lists (ACLs). However, if a user does lock down files within a public bucket, a data thief could still glean potentially sensitive information from the file names, including customer names or the frequency which with applications are backed up.
Contributing to the problem may be the fact that all S3 buckets have a unique, predictable, and publicly accessible URL, which makes it easy to track down buckets and determine which are private and which are public. By default this URL will be either http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/. If you enter the URL and receive an Access Denied response, the bucket is private. If it's public, you'll be presented with the first 1,000 objects stored therein.
Thanks to the predictable, public-facing nature of S3 buckets, the researchers were able to discover a total of 12,328 unique buckets; 1,951 of them were public, and 10,377 were private. They used a variety of techniques to discover those bucket names, including:
- Guessing names through a few different dictionaries, including a list of Fortune 1000 companies and top Alexa 1000,000 sites
- Extracting S3 links from the HTTP responses identified by the Critical.IO project
- Querying the Bing Search API for a list of potentials
Notably, security researcher Robin Wood recently published a tool called Bucket Finder capable of drawing from a user-provided wordlist to track down bucket names in the S3 system. For any it finds, it will check if the bucket is public, private or a redirect, she explained.
Vandevanter and fellow researcher HD Moore recommend that S3 users check to see if their buckets are open. If so and you don't want to share the contents with the world, he recommends configuring them to private. "Remediation is quite simple for this one, and Amazon has made it even easier by helpfully walking through the options for you," he wrote.
In the meantime, he said that the Amazon AWS security team has warned their users about the risk and is "currently putting measures in place to proactively identify misconfigured files and buckets moving forward."
This article, "One in six Amazon S3 storage buckets are ripe for data-plundering," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.