Tuesday, November 5, 2024
Latest:
The Register 

Leaky S3 buckets have gotten so common that they’re being found by the thousands now, with lots of buried secrets

TH Author

The massive amounts of exposed data on misconfigured AWS S3 storage buckets is a catastrophic network breach just waiting to happen, say experts.

The team at Truffle Security says its automated search tools were able to stumble across some 4,000 open Amazon S3 buckets that included data companies would not want public, things like login credentials, security keys, and API keys.

In fact, the leak hunters say that the exposed data was so common, they were able to count an average of around 2.5 pieces of ‘secret’ data in each file they analyzed. In some cases, more than 10 secrets were found in a single file. These included SQL Server passwords, Coinbase API keys, MongoDB credentials, and logins for other AWS buckets that actually were configured to ask for a password.

That the Truffle Security team was able to turn up roughly 4,000 insecure buckets with private information shows just how common it is for companies to leave their cloud storage instances unguarded.

Though AWS has done what it can to get customers to lock down their cloud instances, finding exposed storage buckets and databases is pretty trivial for trained security professionals to pull off.

In some cases, the leak-hunters have even partnered up with law firms, collecting referral fees when they send aggrieved customers to take part in class-action lawsuits against companies that exposed their data.

Surprised cat photo via shutterstock

It’s a Meow-nixed system, I know this: Purr-fect storm of 3,000+ insecure databases – and a data-wiping bot

READ MORE

While in many cases the insecure buckets contain information that the company might want public, or at least wouldn’t mind leaving out for the world to see, these instances were found to have information that you would want to keep closely guarded.

Truffle says it is trying to get the affected companies notified, or at least have the leaky buckets taken offline by AWS.

“We did hundreds of disclosures, and partnered with providers in some cases to get keys revoked for buckets where we couldn’t identify owners,” the team writes.

“Disclosures ranged from dozens of fortune 500 companies, to NGOs and small startups.”

While the fact that the buckets were left open is pretty bad in and of itself, the Truffle crew believes that the real danger is that the exposed ‘secrets’ would have a cascading effect where an attacker could use the exposed keys and credentials to get into other, more secure accounts and services.

In other words, they fear that the misconfigured buckets would serve as the entry point for a much larger data leak.

“It’s probably fair to assume authenticated buckets contain more secrets than unauthenticated ones, due to the implied higher security bar authentication provides. This means attackers can likely use the first round of buckets to find keys that unlock an additional round of buckets and expose more keys, which could expose more buckets, etc,” explained the Truffle team.

“We did not use any of these keys or explore this possibility for obvious reasons, but this makes this type of attack ‘wormable’, i.e., one bucket can lead to another bucket, and so on, magnifying the impact of the leak.” ®

READ MORE HERE