Users store the files in ‘buckets’. Amazon offers ‘public buckets’ for sharing, and ‘private buckets’ for protected storage. The difference is fairly obvious: access control lists (ACLs) are used to limit access to private buckets to only authorized users, whereas anyone who knows the relevant URL can access the public buckets.
A Rapid7 penetration tester (_willis_) decided to follow up on the work of another pentester (Robin Wood, who operates the DigiNinja blog) in looking at what can be found in S3 public buckets. Wood’s curiosity had been piqued when he realized that all S3 buckets must have a unique URL, and that much of the URL is standard.
“This made me think,” he told Infosecurity, “that there must therefore be a way to enumerate which bucket names had already been taken. I wrote a quick script [bucket finder] to do this but noticed that some buckets showed the files they contained when I looked at them – these are the ones that users mark as ‘public’. I extended the script so that when it found a public bucket it listed all the files in it.”
The issue is simple. If someone knows or guesses one of the bucket URLs, they will either receive an ‘access denied’ message for a private bucket, or a list of the first 1000 objects contained in a public bucket.
Rapid 7's _willis_ decided to look further. Using various techniques such as wordlists, data from the Critical.IO project and search engine dorking he discovered 12,328 unique S3 buckets: 10,377 were private and 1,951 were public. “From the 1,951 public buckets,” he reports, “we gathered a list of over 126 billion files. The sheer number of files made it unrealistic to test the permissions of every single object, so a random sampling was taken instead. All told, we reviewed over 40,000 publicly visible files, many of which contained sensitive data.”
Some of that information included sales records and account information, database backups containing site data and encrypted passwords, employee personal information including member lists across various spreadsheets, and video game source code and development tools for a mobile gaming firm.
_willis_ stresses that this is not a fault with Amazon, but a misconfiguration problem among Amazon’s users – files that should be in private buckets are put in public buckets, and the URL to those public buckets can be easily guessed.
“Attackers can abuse this,” Wood told Infosecurity, “by using a script similar to mine and accessing as many buckets as they can find and pulling out all of the files. Most of what I found wasn't anything an attacker could use (lots of photo albums) but I found a tax return and a few other bits that contained sensitive information. I only scanned a very small number compared to the total potential population so scanning all of them would likely reveal a lot more juicy information. The hard bit would be sorting through it all [_willis_ just managed 40,000 out of 126 billion files] to find it, but,” he added, “that could be automated to some degree.”
The problem, however, is not limited to Amazon. “I found the same thing on the Apple Mobile Me system and on another similar one that I've not released yet,” Wood told Infosecurity.