This article is more than 1 year old
Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
When will this madness end?
Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts.
The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public – things like login credentials, security keys, and API keys.
In fact, the leak hunters say that exposed data was so common, they were able to count an average of around 2.5 passwords and access tokens per file analyzed per repository. In some cases, more than 10 secrets were found in a single file; some files had none at all.
These credentials included SQL Server passwords, Coinbase API keys, MongoDB credentials, and logins for other AWS buckets that actually were configured to ask for a password.
That the Truffle Security team was able to turn up roughly 4,000 insecure buckets with private information shows just how common it is for companies to leave their cloud storage instances unguarded.
Though AWS has done what it can to get customers to lock down their cloud instances, finding exposed storage buckets and databases is pretty trivial for trained security professionals to pull off.
In some cases, the leak-hunters have even partnered up with law firms, collecting referral fees when they send aggrieved customers to take part in class-action lawsuits against companies that exposed their data.
It's a Meow-nixed system, I know this: Purr-fect storm of 3,000+ insecure databases – and a data-wiping botREAD MORE
While in many cases the insecure buckets contain information that the company might want public, or at least wouldn't mind leaving out for the world to see, these instances were found to have information that you would want to keep closely guarded.
Truffle says it is trying to get the affected companies notified, or at least have the leaky buckets taken offline by AWS.
"We did hundreds of disclosures, and partnered with providers in some cases to get keys revoked for buckets where we couldn’t identify owners," the team explained this month.
"Disclosures ranged from dozens of fortune 500 companies, to NGOs and small startups."
While the fact that the buckets were left open is pretty bad in and of itself, the Truffle crew believes that the real danger is that the exposed 'secrets' would have a cascading effect where an attacker could use the exposed keys and credentials to get into other, more secure accounts and services.
In other words, they fear that the misconfigured buckets would serve as the entry point for a much larger data leak.
"It's probably fair to assume authenticated buckets contain more secrets than unauthenticated ones, due to the implied higher security bar authentication provides. This means attackers can likely use the first round of buckets to find keys that unlock an additional round of buckets and expose more keys, which could expose more buckets, etc," explained the Truffle team.
"We did not use any of these keys or explore this possibility for obvious reasons, but this makes this type of attack 'wormable', i.e., one bucket can lead to another bucket, and so on, magnifying the impact of the leak." ®