One in Six Amazon S3 Cloud Storage Users Make Sensitive Data Public
March 28, 2013 5:54 AM
Amazon.com, Inc.'s (
cloud storage solution
is once again under the
spotlight of scrutiny
following a report by security firm
. The report by the firm's Senior Security Consultant Will Vandevanter complains that poor security in the cloud may be endangering scores of customers worldwide.
But before you blame Amazon, Mr. Vandevanter makes it clear that it is the businesses that are to blame for the exposure of sensitive customer data.
The service provider Amazon gives its customers the ability to make their data private. But according to the report, approximately one in six bins on Amazon S3 containing sensitive data are made public. It's hard to tell if this is mere incompetence on the part of firms using the service, or what the justification for this dangerous practice might be, but it's clear it's bad news for customers and perhaps unfair bad publicity for the service provider Amazon.
In his post "
There's a Hole in 1,951 Amazon S3 Buckets
", Mr. Vandevanter blogs:
The worst case scenario is that a bucket has been marked as "public", exposes a list of sensitive files, and no access controls have been placed on those files. In situations where the bucket is public, but the files are locked down, sensitive information can still be exposed through the file names themselves, such as the names of customers or how frequently a particular application is backed up.
It should be emphasized that a public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket. And although a file might be listed in a bucket it does not necessarily mean that it can be downloaded. Buckets and objects have their own access control lists (ACLs). Amazon provides information on managing access controls for buckets
. Furthermore, Amazon helps their users by publishing a best practices document on
public access considerations around S3 buckets
. The default configuration of an S3 bucket is private.
While Amazon is not directly to blame, the structure of S3 URLs does exacerbate the problem, according to Mr. Vandevanter. As Amazon expects its users to make use of its robust privacy options when necessary, it gears its public S3 URLs for ease of use. As a result, it's very easy to guess the URL names needed to get access to public records.
Mr. Vandevanter demonstrates how companies are goofing on cloud security.
[Image Source: BrightCove/Rapid7]
The URLs of a bucket are http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/; private buckets will give an access denied error, while public buckets will show the first 1,000 records.
To guess the bucket names, the researcher used several sources:
Guessing names through a few different dictionaries:
List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
Extracting S3 links from the HTTP responses identified by the
. This enabled us to identify s3.amazonaws.com and cloudfront.net addresses “in the wild”. It is very common for a cloudfront.net address to point to an S3 bucket.
Bing Search API
was queried to gather a list of potentials.
The results allowed the discovery of 12,328 unique buckets -- 1,951 of which were public, and 10,377 of which were private. In total he gathered 126 billion files from the open buckets -- including files that appeared to contain private user data.
Robin Wood aka "DigiNinja" has published a
public web tool
that uses similar sources to generate a list of S3 bucket names.
An exasperated Amazon has told Mr. Vandevanter that it "currently putting measures in place to proactively identify misconfigured files and buckets moving forward."
In other words, Amazon realizes that some of its clients are too incompetent to manage its own security settings, so it's trying to take the responsibility on itself to double check their work.
But fixing the settings retroactively may not protect users fully. Mr. Vandevanter writes:
is a great resource to identify previously open buckets. Using a modified version of
I also quickly identified a few hundred buckets that are currently private that previously weren’t.
Looks like the only real solution is to not move to the cloud if you can't handle simple security of the hand-holding variety (which appears to be the case for some firms).
This security "study" is similar to the
hack done by Goatse Security researcher Andrew Auernheimer
. Showcasing the ambiguity of computer security laws, Mr. Vandevanter will likely be praised for his work (and has the security firm backing to protect him if he gets charged/sued) where as Mr. Auernheimer's similar dump of exposed AT&T, Inc. (
) customer data
earned him nearly 4 years in prison
. The message seems to be that if you work for corporate security, feel free to probe away, but if you work as an independent security researcher prepare to be harassed and sent to prison due to the U.S.'s poorly written computer crime laws.
"This is about the Internet. Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis
Report: CIA Steps Aboard Amazon's Cloud, With Secret Services Contract
March 20, 2013, 5:57 PM
Goatse Security iPad Hacker Gets 41 Months for "Doing Arithmetic"
March 18, 2013, 11:06 PM
Amazon Web Services Failure Leads to Netflix Outage on Christmas Eve
December 27, 2012, 8:00 AM
AT&T's Gaping Hole Exposes 114,000 iPad 3G Buyers' Email Addresses
June 9, 2010, 5:55 PM
Not All the High-Tech Jobs Are in California
August 4, 2016, 8:29 PM
Google's Gleaming Glass HQ Gets Mountain View Snub, LinkedIn Gets the Love
May 7, 2015, 6:58 AM
Tech's Tax Day Fortunate Few: Qualcomm, Xerox, GE, et al. Pay Little or No Taxes
April 15, 2015, 11:30 AM
LinkNYC Terminals to Blanket New York City With Free WiFi, Free Calls, and Ads
November 17, 2014, 6:50 PM
Microsoft is Open-Sourcing Most of .NET, Adding OS X and Linux Support
November 12, 2014, 8:27 PM
Home Depot Lost 53 Million Emails, Blames Windows, Buys Execs New Macs
November 9, 2014, 5:00 PM
Most Popular Articles
Car Insurance - The Hidden Discriminatory Practise
October 18, 2016, 5:00 AM
Problems with Windows 10 – Update Now
October 15, 2016, 7:30 AM
Is Razer Blade Stealth Laptop For You?
October 16, 2016, 5:00 AM
Tesla Event Pushed to Wednesday
October 17, 2016, 5:00 AM
Smart Technology Mood Collar To Understand Your Dog’s Emotions
October 17, 2016, 5:00 AM
Latest Blog Posts
Mac Users, Try this if Your Mac is Infected?
Oct 23, 2016, 7:00 AM
Tips to Prevent Smartphones From Overheating:
Oct 22, 2016, 5:00 AM
Nasa Flies Drones at Nevada Airport
Oct 21, 2016, 8:21 AM
T-Mobile Data Problems
Oct 20, 2016, 10:17 AM
Annoying Apple Watch Problems and How to Fix Them
Oct 20, 2016, 5:00 AM
Your Mail May Soon Be Delivered By Robot
Oct 19, 2016, 9:34 AM
2018 Jeep Wrangler Prototype Sells At Junkyard
Oct 18, 2016, 5:00 AM
Samsung Shines with Gold Edition Tablet
Oct 17, 2016, 9:24 AM
Tesla Hints Mysterious Product Debut for October 17th
Oct 16, 2016, 10:14 AM
Samsung Galaxy Note 7 Phones on US flights
Oct 15, 2016, 5:00 AM
Comcast Fined $2.3 Million For Unconfirmed Services Charged To Customers
Oct 14, 2016, 5:00 AM
“American singer / songwriter “Bob Dylan is awarded 2016 Nobel Prize in Literature.
Oct 13, 2016, 10:33 AM
Battery Defect in Medical Device
Oct 12, 2016, 5:00 AM
IBM Bolsters Social Services Sector With Technology Grants
Oct 11, 2016, 5:00 AM
Scientists Sound Alarm on Climate but US Still Toys With Skepticism
Oct 10, 2016, 5:00 AM
IMEX America Trade Show
Oct 9, 2016, 10:00 AM
Phone Wars – Google VS Samsung Free Gifts on Purchase
Oct 6, 2016, 5:00 AM
Member of Parliament’s opposition car exploded in Tbilist capital of Georgia
Oct 5, 2016, 2:52 PM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information