Almost 2,000 storage buckets from cloud provider Amazon are inadvertently exposing confidential user data due to improper configuration by the customer, according to a study by Metasploit vendor Rapid7.
Buckets are logical storage containers that companies use for purposes from mirroring downloads to storing office documents or local backups. They can be set as either public or private, and access to the files is granted as such. If they are set as public, the bucket’s contents can be listed and accessed by anyone who knows the URL of the bucket. The URL can easily be deduced as it follows a predefined format (such as http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/), it’s easy to predict the bucket’s URL by running names in a dictionary, for instance.
“From the 1,951 public buckets we gathered a list of over 126 billion files,”wrote Rapid7’s Will Vandevanter in a blogpost. “The sheer number of files made it unrealistic to test the permissions of every single object, so a random sampling was taken instead. All told, we reviewed over 40,000 publicly visible files, many of which contained sensitive data.”
The files found contained critical information about their owners and customers, including sales records, employee information, database backups or source code for video games and websites. The Rapid7 study reveals that you can rely on cloud storage to keep your assets, but it can’t (yet) protect you from yourself. If you use Amazon’s Simple Storage Service, take a moment to revise the security status of your buckets and the permission levels set individually per files.