Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Privacy The Internet

AWS Error Exposed GoDaddy Business Secrets (zdnet.com) 85

Internal information belonging to hosting provider GoDaddy has been exposed via an error in Amazon's AWS bucket configuration. According to cybersecurity firm UpGuard, a set of documents were left in an Amazon S3 bucket which was available to the public. ZDNet reports: The information involved in the security breach appeared to describe GoDaddy's architecture, as well as "high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios," according to UpGuard. Configuration files for hostnames, operating systems, workloads, AWS regions, memory, CPU specifications, and more were included in the exposed cache, which described at least 24,000 systems.

"Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields," the cybersecurity firm said. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential.

This discussion has been archived. No new comments can be posted.

AWS Error Exposed GoDaddy Business Secrets

Comments Filter:
  • Derptastic (Score:4, Insightful)

    by Aighearach ( 97333 ) on Sunday August 12, 2018 @02:29PM (#57112630)

    Don't name your instances after your company. Select a neutral naming policy, and follow it.

    It is bad enough when business data gets leaked, but why put a big flag on anything accidentally visible to let people know that they should snoop into it because they're not supposed to see it?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      AWS S3 bucket names are shared globally. I don't mean globally within your account. I mean globally globally. If you name an S3 bucket "GoDaddy" then nobody else in the world can name an S3 bucket "GoDaddy". It's a rather strange quirk of the AWS systems that often leads to people naming their buckets with their company name because the likelihood of name collision is much lower that way.

      • The possibility of name collision is clearly and obviously still much higher than using a random string, and maintaining your semantic metadata privately. Don't share your metadata frivolously!

  • Nekkid pictures of Danica Patrick ?

  • by account_deleted ( 4530225 ) on Sunday August 12, 2018 @02:42PM (#57112680)
    Comment removed based on user account deletion
    • by nadass ( 3963991 )
      Generally speaking, infrastructure configurations and vendor-negotiated pricing arrangements are relatively confidential for the entity (GoDaddy) and they are traditionally classified as "trade secrets" (especially in the eyes of lawyers and employment/vendor contracts). The vendor/team/person who setup "abbottgodaddy" is liable for any damages directly attributable to this snafu; the direct damages would be changes in pricing strategy and infrastructure migration costs -- for a company like GoDaddy (with
    • Re: (Score:2, Funny)

      by giggleloop ( 5166293 )
      Yeah. They really need to be clear that the open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. Sloppy reporting not to include that info.
    • I'm confused should this information should have been kept confidential? I wish the summary would clarify that

      I'm confused should this information should have been kept confidential? I wish the summary would clarify that

      "Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields," the cybersecurity firm said. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. The open bucket,

  • by Anonymous Coward

    It's too easy to have an epic security fail because it's too complicated, the peons configuring it don't know WTF they're doing and management doesn't care as long as it involves the words "cloud" and "savings".

    • by iTrawl ( 4142459 )

      Yeah, back in my day it was too easy to have an epic security fail because your own damn server was too complicated and the peons configuring it didn't know WTF they were doing. Now they have this cloud thing with point and click security...

      Now get off my... err... I'm not that old actually. I don't have a lawn yet.

  • I forgave the local semi techy tabloid type online newspaper getting this wrong when the news broke days ago, but this is Slashdot FFS. This was user error, not a systems error. An AWS employee fucked up.

    • by nadass ( 3963991 )
      Hmm, from the article:

      "The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer," an AWS spokesperson told ZDNet.

      Somebody is not getting their performance bonus this quarter...

    • This was user error, not a systems error. An AWS employee fucked up.

      I disagree. The "storing your data on someone else's servers" craze makes configuration so hard that not even the vendor can get it right.

      • I disagree. The "storing your data on someone else's servers" craze makes configuration so hard that not even the vendor can get it right.

        It's not difficult to make a default deny (i.e. Deny:*) bucket policy and then add in the allows. Hard but not impossible.

      • by Mascot ( 120795 )

        Our usage of the term seems to differ, then. To me, a systems error is a category separate from user error, even if the user error is made more likely by overly complicated design or implementation.

  • que?
  • by Anonymous Coward

    how many times does a bucket need to be exposed before people get smart enough to. stop. fucking. using. them. for. important. data.

  • The editors should ensure that duplicate sentences are removed from the summary. The editors should ensure that duplicate sentences are removed from the summary. It seems like this could be automated. It seems like this could be automated. I don't know why I see articles about 10% to 20% of the time with duplicate sentences, or sometimes even whole paragraphs, in them. I don't know why I see articles about 10% to 20% of the time with duplicate sentences, or sometimes even whole paragraphs, in them. It's kin

  • Calling this an AWS error is like calling leaving an unlocked S series in an airport parking lot a "Mercedes Benz" error. This is an error that GoDaddy, who is typically poor when it comes to security knowledge, made in their implementation. They used S3 without applying proper policies around it, all of which are more than sufficiently documented.
    • by Junta ( 36770 )

      If it were a Mercedes salesperson leaving it unlocked in the airport, they would call it a Mercedes issue.

      Also, if Mercedes had a keyfob that would tend to unlock in the pocket, people would be questioning some human factors situations with that keyfob, even though that keyfob is working fine and would be secure if 'used properly'.

      The challenge with cloud hosting is that humans suck at securing things, and in the cloud instance context they tend to make the same mistakes they make on private networks except

  • The title suggests Amazon screwed up, when it was GoDaddy that screwed up their usage of Amazon's services. Kinda shady. The title.

  • This is a perfect example why companies refuse to outsource their Exchange servers, SharePoint boxen, as well as file storage services to the cloud. HR won't let them for reasons such as this.

    For those arguing it is GODADDYS FAULT not Amazon they miss the point. It was perfectly secure and fine the way it was. Some bean counter who is not trained in risk management urged to fire their IT workers and outsource this function to the cloud to save money.

    They got what they paid for.

  • "Although the potential threats to exploit this kind of data require intentional malicious actors, the exposure of that data through misconfigured storage does not," UpGuard said. "From operations as large as GoDaddy and Amazon, to small and medium organizations, anyone who uses cloud technology is subject to the risk of unintentional exposure, if the operational awareness and processes aren't there to catch and fix misconfigurations when they occur."

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...