Forgot your password?
typodupeerror
Cloud Security IT

One In Six Amazon S3 Storage Buckets Are Ripe For Data-Plundering 79

Posted by samzenpus
from the ripe-for-the-picking dept.
tsamsoniw writes "Using a combination of relatively low-tech techniques and tools, security researchers have discovered that they can access the contents of one in six Amazon Simple Storage Service (S3) buckets whose owners had them set to Public instead of Private. All told, researchers discovered and explored nearly 2,000 public buckets, according to Rapid 7 Senior Security Consultant Will Vandevanter, from which they gathered a list of more than 126 billion files, many of which contained sensitive information such as source code and personal employee information. Researchers noted that S3 URLs are all predictable and public facing, which make it that much easier to find the buckets in the first place with a scripting tool."
This discussion has been archived. No new comments can be posted.

One In Six Amazon S3 Storage Buckets Are Ripe For Data-Plundering

Comments Filter:
  • by alphatel (1450715) * on Wednesday March 27, 2013 @06:08PM (#43297849)

    You have done an excellent job of revealing the very loose fabric of the internet, especially those that would not set their own security properly. However, under current law, you have violated so many laws, with so many more to come, that your best way out is to stand on the last iceberg in the Arctic and hope it does not melt anytime soon. Just to clarify, here's a few of the things you've clearly done, and I don't even have to prove them.

    Access and distribution of pornography (surely one of those buckets was full of porn, a felony in 20 countries)
    Access and distribution of child pornography (well at least one of those buckets has it, or did, or will one day)
    Failure to report a bucket full of child pornography
    Conspiracy to distribute
    Hacking every country in the world... let me explain, no wait let me sum up.
    Amazon has storage in 193 countries
    By accessing one you have violated the statutes of every country attacked
    This is basically punishable by the rest of your life in prison in every country, except the Vatican, which will send you to hell.
    So now you are going to hell, after spending the rest of your life kissing bubba's pants
    Unauthorized access (fines from Amazon, billions $$$$ ($100,000 per bucket per country, ouch!)
    Future crimes (as the future is soon you are already guilty of:
    Discussing a hacking attempt
    Intent to hack
    Intent to exploit, list exploits, financially gain from exploits

    I can't type anymore, and there's no doubt as far as most governments are concerned I'm as guilty as you are by now.

    • by Cryacin (657549)
      Your tin foil hat's come loose.
    • by sgardner (2877627)

      You have done an excellent job of revealing the very loose fabric of the internet, especially those that would not set their own security properly. However, under current law, you have violated so many laws, with so many more to come, that your best way out is to stand on the last iceberg in the Arctic and hope it does not melt anytime soon. Just to clarify, here's a few of the things you've clearly done, and I don't even have to prove them.

      Access and distribution of pornography (surely one of those buckets was full of porn, a felony in 20 countries) Access and distribution of child pornography (well at least one of those buckets has it, or did, or will one day) Failure to report a bucket full of child pornography Conspiracy to distribute Hacking every country in the world... let me explain, no wait let me sum up. Amazon has storage in 193 countries By accessing one you have violated the statutes of every country attacked This is basically punishable by the rest of your life in prison in every country, except the Vatican, which will send you to hell. So now you are going to hell, after spending the rest of your life kissing bubba's pants Unauthorized access (fines from Amazon, billions $$$$ ($100,000 per bucket per country, ouch!) Future crimes (as the future is soon you are already guilty of: Discussing a hacking attempt Intent to hack Intent to exploit, list exploits, financially gain from exploits I can't type anymore, and there's no doubt as far as most governments are concerned I'm as guilty as you are by now.

      The content owners granted access permissions to everyone by leaving their S3 buckets public; there's no way stumbling upon information made publicly available is considered hacking. Only the owners of these buckets could be convicted of anything, assuming stupidity is a crime.

      • by PRMan (959735)

        The content owners granted access permissions to everyone by leaving their S3 buckets public; there's no way stumbling upon information made publicly available is considered hacking. Only the owners of these buckets could be convicted of anything, assuming stupidity is a crime.

        Again, tell that to weev, who did the EXACT same thing and has already been convicted of 41 months in prison.

        • by sgardner (2877627)
          There is a huge difference here. The owners of these buckets have given express permission (whether intended to or not) to the public through their privacy settings; the details of which can be found in the ToS and/or Privacy Policies they agreed to when they opened their accounts. On the other hand, weev accessed what is already defined as private data through a loophole, exploit, or whatever you want to call it. There was a way to establish guilt, which is not possible in this case, as the bucket owners h
      • It's cute how naive you are.

    • by ewenix (702589)
      I think you'll have a hard time getting a tech savvy person to consider this hacking when the users are allowing public access. You'd need to prove that they opened an image file for any of the pron charges. There is no evidence of conspiracy to distribute unless you prove they opened any of the files. You could possibly get in trouble for intent to exploit, depending on the the laws of the country of the owner and yours. (Throw in a jurisdiction issue or two.)
    • Massively offtopic, but...

      "Professor, what's another word for pirate treasure?"
      "Well I think it's booty" "booty" "booty that's what it is"

      -- Beastie Boys "Professor Booty"

  • URLs? (Score:4, Insightful)

    by K. S. Kyosuke (729550) on Wednesday March 27, 2013 @06:15PM (#43297901)

    "Researchers noted that S3 URLs are all predictable and public facing"

    I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?

    • by Nidi62 (1525137)

      Researchers noted that S3 URLs are all predictable and public facing, which make it that much easier to find the buckets in the first place with a scripting tool.

      So basically they walked down the street checking door to see which ones were unlocked then looked inside the unlocked houses?

      • by Anonymous Coward

        So basically they walked down the street checking door to see which ones were unlocked then looked inside the open stores. These are marked public. They're public.

        ~orb

      • Re: (Score:3, Interesting)

        by BradleyUffner (103496)

        So basically they walked down the street checking door to see which ones were unlocked then looked inside the unlocked houses?

        It would be like walking down a street and peeking in to public restaurant to see what's on the menu.

        • by wvmarle (1070040)

          These storage buckets are presumably meant to be private, not public. So the private houses analogy is much better than the public restaurant analogy here.

          • These storage buckets are presumably meant to be private, not public. So the private houses analogy is much better than the public restaurant analogy here.

            By default every bucket and file is marked as private. If something is marked as public then it has been explicitly marked that way by the user.

    • by ckedge (192996)

      You know that.
      I know that.

      90% of people who "code" or deal with software -- should not be allowed anywhere near anything that has aspects of security aspects of systems and software.

      Good luck trying to find a manager that a) understands that, b) can identify the 10% vs the masses, c) is willing to pay that 10% what they're worth.

      Shit, the 50% of managers and "architects" and developers who create unscalable crap are long gone off to their next task before whatever they last created gets to the point of impl

    • by x3CDA84B (2592699)

      I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?

      In systems with URLs that contain some sort of object identifier, using a non-predictable identifier is a great way to add another layer of security. It doesn't replace actual authentication or authorization checks, it just complements them.

      For example, if I have a REST URL like this:

      http://someserver/users/ID [someserver]

      If I use sequential numbers, or actual usernames as the identifier, it becomes trivial for someone to enumerate all of them by iterating through numbers, or a dictionary. However, if the ID is a 128-bi

  • Amazon's Jeff Bezos must not give much direction to his crew about running things right.

    • by girlintraining (1395911) on Wednesday March 27, 2013 @06:46PM (#43298151)

      Amazon's Jeff Bezos must not give much direction to his crew about running things right.

      The default policy is set to private and Amazon provides extensive documentation and support should customers wish to secure things properly. 5 out of 6 did, and think the sixth is a blithering idiot. How is Bezos responsible for the sixth guy shooting himself in the foot as when he was handed the gun it clearly said "Do not pull trigger while pointing at self."?

      • by Luckyo (1726890)

        Being an idiot does not automatically revoke rights to things like privacy and property. Else you could argue that stealing from people who don't lock their doors is not a crime.

      • by Anonymous Coward on Wednesday March 27, 2013 @10:42PM (#43299527)

        > The default policy is set to private

        It is now, but it wasn't in Dec 2006 when I first started using S3. I looked through my buckets, and all of them I created that month are all public.

  • This just in... (Score:5, Interesting)

    by girlintraining (1395911) on Wednesday March 27, 2013 @06:26PM (#43297965)

    People don't bother reading the manual. Then, everything explodes. How is this news? Please, find me a person in this industry who doesn't know what RTFM means. "Idiot who didn't RTFM exposes personal info." Those of us in the industry have a term for when things like this happen: Tuesday.

    What'll be news is when they say "And then the manager and personnel responsible went to jail, because their idiocy cost tax payers millions in lost productivity spent fixing their credit reports and financial lives."

  • by Anonymous Coward

    I thought white-hat hacking was illegal unless you got the owner's permission...

  • by viperidaenz (2515578) on Wednesday March 27, 2013 @06:28PM (#43297993)

    A billion out of a billion Facebook accounts are ripe for the plundering too. Just wait for the next feature change and the inevitable default setting of "public" applied to every account.

  • by bennini (800479) on Wednesday March 27, 2013 @06:44PM (#43298129) Homepage
    This sounds an awful lot like what Andrew Auernheimer did [computerworld.com].

    If the justice department or any company affected by this wants to, they could claim Computer Fraud and Abuse.
    Yet somehow I doubt the "researches" will get any jail time.
  • Using a combination of relatively low-tech techniques and tools, security researchers have discovered that they can access the contents of one in six Amazon Simple Storage Service (S3) buckets whose owners had them set to Public instead of Private.

    So, if you want your bucket to be private, you shouldn't actively set it to be Public instead of Private. Okay, I can see that, but I'm trying desperately to figure out how this is news.

  • The default in s3 has containers set to private. The 'flaw' here is that public containers can be listed by anyone.

    1) set container to public
    2) shout loudly that the public can see inside your public container

    I'm tempted to call the author a moron.

    • It's not a problem with Amazon. The issue is with developers not bothering to think about what they're doing when they chuck data into buckets that are expressly set to public. It's potentially a very large problem for companies that expose sensitive customer information or things like access credentials in this manner. If you think I'm kidding about the latter, I'm not, having seen that happen.

  • but with a crapier business plan?

  • "Public websites are public! News at 11!"
  • Looks like Slashdot has the same issue.

    For example, this [slashdot.org]. No user authentication required at all.
  • I do weekly backups of my web servers to Amazon S3. I'm not overly concerned because I encrypt (AES-256) the tar files before upload.

    While I admit, folks have their own priorities and needs... I only tend to trust "the cloud" for things that are public or well encrypted.

The ideal voice for radio may be defined as showing no substance, no sex, no owner, and a message of importance for every housewife. -- Harry V. Wade

Working...