A Net Security report shows that there are thousands of private users, developers and business users on Amazon Cloud who have not cared to take adequate security measures in respect of their passwords and data. These are vulnerable and any unauthorized hacker can tunnel in to access or retrieve files the users thought were secure.
Net Security machine generated URLs for companies and websites and probed Amazon’s S3 servers. The probe was carried out by random selection from a list of top 1000 companies listed on Fortune and 100000 top ranked Alexa websites. Then permutations of possible server addresses on amazonaws.com domain were tried out to access accounts after which they were ported through Bing’s Search API to know if these could be accessed. It seems Amazon settings are not enough. It sets the S3 accounts to private but misconfiguration could permit public access. Will Vandevanter, the security researcher surprisingly found that of the 12328 probes, 1951 buckets had security holes that made them vulnerable and accessible and he was able to extract a list of over 126 billion files. Sampling of data revealed that data of a medium sized social media site could easily be accessed. Other data tracked covered affiliate data tracking, data backups, source code of video games, sales figures of car dealerships and lots of others that were not analyzed due to the sheer volume.
The outcome of this raid is that it has set Amazon’s pants on fire and the giant is warning users to reconfigure their settings as also taking action to identify misconfigured files and take corrective action before someone with serious malintent does some very serious harm.
The S3 method is to organize files into “buckets” or containers for all kinds of files accessible at a certain URL, with controls for privacy and accessibility. If a user lists the contents, it is public and open to anyone who asks. If only certain S3 users have rights, it becomes private. Amazon’s S3 is a cloud service with the purpose of making web based computing easy, especially for developers. It is available through a simple interface and is claimed to be cost effective and efficient.
Will Vandevanter is a security researcher at Rapid 7 and provides penetration services wishing to test security of their systems.