One In Six Amazon S3 Storage Buckets Are Ripe For Data-Plundering

← Back to Stories (view on slashdot.org)

One In Six Amazon S3 Storage Buckets Are Ripe For Data-Plundering

Posted by samzenpus on Wednesday March 27, 2013 @11:07AM from the ripe-for-the-picking dept.

tsamsoniw writes "Using a combination of relatively low-tech techniques and tools, security researchers have discovered that they can access the contents of one in six Amazon Simple Storage Service (S3) buckets whose owners had them set to Public instead of Private. All told, researchers discovered and explored nearly 2,000 public buckets, according to Rapid 7 Senior Security Consultant Will Vandevanter, from which they gathered a list of more than 126 billion files, many of which contained sensitive information such as source code and personal employee information. Researchers noted that S3 URLs are all predictable and public facing, which make it that much easier to find the buckets in the first place with a scripting tool."

44 of 79 comments (clear)

Min score:

Reason:

Sort:

I think it's booty by alphatel · 2013-03-27 11:08 · Score: 5, Funny

You have done an excellent job of revealing the very loose fabric of the internet, especially those that would not set their own security properly. However, under current law, you have violated so many laws, with so many more to come, that your best way out is to stand on the last iceberg in the Arctic and hope it does not melt anytime soon. Just to clarify, here's a few of the things you've clearly done, and I don't even have to prove them.
Access and distribution of pornography (surely one of those buckets was full of porn, a felony in 20 countries)
Access and distribution of child pornography (well at least one of those buckets has it, or did, or will one day)
Failure to report a bucket full of child pornography
Conspiracy to distribute
Hacking every country in the world... let me explain, no wait let me sum up.
Amazon has storage in 193 countries
By accessing one you have violated the statutes of every country attacked
This is basically punishable by the rest of your life in prison in every country, except the Vatican, which will send you to hell.
So now you are going to hell, after spending the rest of your life kissing bubba's pants
Unauthorized access (fines from Amazon, billions $$$$ ($100,000 per bucket per country, ouch!)
Future crimes (as the future is soon you are already guilty of:
Discussing a hacking attempt
Intent to hack
Intent to exploit, list exploits, financially gain from exploits

I can't type anymore, and there's no doubt as far as most governments are concerned I'm as guilty as you are by now.

--
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
1. Re:I think it's booty by Cryacin · 2013-03-27 11:23 · Score: 1
  
  Your tin foil hat's come loose.
  
  --
  Science advances one funeral at a time- Max Planck
2. Re:I think it's booty by WallaceAndGromit · 2013-03-27 11:30 · Score: 4, Informative
  
  Did it? I'm not so sure...
  
  http://yro.slashdot.org/story/13/03/18/1641221/41-months-in-prison-for-man-who-leaked-att-ipad-email-addresses
  
  --
  Name: Mr. Anon E Mouse; SSN: 555-55-5555
3. Re:I think it's booty by sgardner · 2013-03-27 11:39 · Score: 2
  
  You have done an excellent job of revealing the very loose fabric of the internet, especially those that would not set their own security properly. However, under current law, you have violated so many laws, with so many more to come, that your best way out is to stand on the last iceberg in the Arctic and hope it does not melt anytime soon. Just to clarify, here's a few of the things you've clearly done, and I don't even have to prove them.
  Access and distribution of pornography (surely one of those buckets was full of porn, a felony in 20 countries) Access and distribution of child pornography (well at least one of those buckets has it, or did, or will one day) Failure to report a bucket full of child pornography Conspiracy to distribute Hacking every country in the world... let me explain, no wait let me sum up. Amazon has storage in 193 countries By accessing one you have violated the statutes of every country attacked This is basically punishable by the rest of your life in prison in every country, except the Vatican, which will send you to hell. So now you are going to hell, after spending the rest of your life kissing bubba's pants Unauthorized access (fines from Amazon, billions $$$$ ($100,000 per bucket per country, ouch!) Future crimes (as the future is soon you are already guilty of: Discussing a hacking attempt Intent to hack Intent to exploit, list exploits, financially gain from exploits I can't type anymore, and there's no doubt as far as most governments are concerned I'm as guilty as you are by now.
  The content owners granted access permissions to everyone by leaving their S3 buckets public; there's no way stumbling upon information made publicly available is considered hacking. Only the owners of these buckets could be convicted of anything, assuming stupidity is a crime.
4. Re:I think it's booty by bloodhawk · 2013-03-27 11:43 · Score: 1
  
  His post was mostly in jest, but many countries really do have extremely strict laws on data access which in many cases amount to if you don't have explicit permission to access the information then you are trespassing/hacking if you access it and poor security or settings by the company in question does not excuse the action. by saying they have scanned so many buckets they really have potentially opened themselves up for all sorts of legal trouble if any countries in question decide to make an issue of it.
5. Re:I think it's booty by PRMan · 2013-03-27 11:45 · Score: 3
  
  Tell that to weev. He'll be available to talk to you in 41 months.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
6. Re:I think it's booty by PRMan · 2013-03-27 11:47 · Score: 2
  
  The content owners granted access permissions to everyone by leaving their S3 buckets public; there's no way stumbling upon information made publicly available is considered hacking. Only the owners of these buckets could be convicted of anything, assuming stupidity is a crime.
  Again, tell that to weev, who did the EXACT same thing and has already been convicted of 41 months in prison.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
7. Re:I think it's booty by GryMor · 2013-03-27 11:53 · Score: 1
  
  Private is the default setting?
  
  --
  Realities just a bunch of bits.
8. Re:I think it's booty by abirdman · 2013-03-27 11:55 · Score: 1
  
  Tell that to Aaron Swartz. Even if the protection mechanism doesn't work, or isn't implemented, it's still hacking in the eyes of law enforcement. And also note, even if you win you'll spend every cent you have on lawyers.
  
  --
  Everything I've ever learned the hard way was based on a statistically invalid sample.
9. Re:I think it's booty by DragonWriter · 2013-03-27 11:59 · Score: 1
  
  Any reason why Private was not the default setting?
  Private is the default setting. Which is why TFS notes that this is about buckets who users had set them to Public instead of Private.
10. Re:I think it's booty by similar_name · 2013-03-27 12:52 · Score: 2
  
  The Innocent Defendant's Dilema
11. Re:I think it's booty by nametaken · 2013-03-27 15:33 · Score: 1
  
  The difference here is most of this shit is supposed to be public.
  This whole article is goddamn idiotic. One of the primary uses of S3 is as an asset hosting service for websites. That doesn't mean there are a trillion public files that aren't supposed to be. It means people are using the service. So great, you found a trillion public files. You know what else does that already? Google.
  It sounds to me like this "security researcher" is just some asshat that wasted time writing a script, and news outlets have zero technical standards.
12. Re:I think it's booty by philip.paradis · 2013-03-27 15:45 · Score: 1
  
  The difference here is most of this shit is supposed to be public.
  Most != All. The entire point of this sort of exploit is to draw attention to widespread gross misunderstanding and misconfiguration of services used by a great many developers, content managers, etc. Maybe this is difficult to understand, so allow me to rephrase it: the entire point is that a large number of these files shouldn't be public, and at minimum this demonstrates incompetence on the part of those who put those files into public buckets. More interestingly, depending on the nature of the improperly stored data, the companies who employ these people can be held liable for severe legal penalties related to failure to properly secure their customers' sensitive information.
  In short, you're either the sort of asshat who blames security researchers in general for finding and publishing security problems, or you're grossly ignorant of how these things actually work, or both. Have a nice day.
  
  --
  Write failed: Broken pipe
13. Re:I think it's booty by Narcocide · 2013-03-27 15:57 · Score: 1
  
  Oh they search engines have been attacked legally too but they usually:
  1) are corporations so they can't be sent to jail
  2) have resources to defend themselves in court or settle out of court
14. Re:I think it's booty by davester666 · 2013-03-27 16:01 · Score: 1
  
  It's cute how naive you are.
  
  --
  Sleep your way to a whiter smile...date a dentist!
15. Re:I think it's booty by Lennie · 2013-03-27 22:13 · Score: 1
  
  Maybe in your country, not mine.
  An analogy of this law is: You will be punishable by law if you open a unlocked door when unauthorized.
  
  --
  New things are always on the horizon
16. Re:I think it's booty by ewenix · 2013-03-28 00:38 · Score: 1
  
  I think you'll have a hard time getting a tech savvy person to consider this hacking when the users are allowing public access. You'd need to prove that they opened an image file for any of the pron charges. There is no evidence of conspiracy to distribute unless you prove they opened any of the files. You could possibly get in trouble for intent to exploit, depending on the the laws of the country of the owner and yours. (Throw in a jurisdiction issue or two.)
17. Re:I think it's booty by omarius · 2013-03-28 02:12 · Score: 1
  
  This. As soon as I read the stub, my first thought was, "This is exactly what they jailed Weev for." Mod thou the parent up.
18. Re:I think it's booty by cant_get_a_good_nick · 2013-03-28 09:49 · Score: 1
  
  Massively offtopic, but...
  "Professor, what's another word for pirate treasure?"
  "Well I think it's booty" "booty" "booty that's what it is"
  -- Beastie Boys "Professor Booty"
19. Re:I think it's booty by sgardner · 2013-03-29 08:40 · Score: 1
  
  There is a huge difference here. The owners of these buckets have given express permission (whether intended to or not) to the public through their privacy settings; the details of which can be found in the ToS and/or Privacy Policies they agreed to when they opened their accounts. On the other hand, weev accessed what is already defined as private data through a loophole, exploit, or whatever you want to call it. There was a way to establish guilt, which is not possible in this case, as the bucket owners have already agreed to a legal contract stating that public storage is what it is—public.
20. Re:I think it's booty by sgardner · 2013-03-29 16:21 · Score: 1
  
  Like the others, you are overlooking the fact that the bucket owners marked their storage contents as public, and that they've already agreed to a legal contract which describes what public storage entails. This is not difficult to understand; you guys might want to read articles more thoroughly before commenting.
URLs? by K.+S.+Kyosuke · 2013-03-27 11:15 · Score: 3, Insightful

"Researchers noted that S3 URLs are all predictable and public facing"
I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?

--
Ezekiel 23:20
1. Re:URLs? by Nidi62 · 2013-03-27 11:28 · Score: 2
  
  Researchers noted that S3 URLs are all predictable and public facing, which make it that much easier to find the buckets in the first place with a scripting tool.
  So basically they walked down the street checking door to see which ones were unlocked then looked inside the unlocked houses?
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
2. Re:URLs? by ckedge · 2013-03-27 11:31 · Score: 2
  
  You know that.
  I know that.
  90% of people who "code" or deal with software -- should not be allowed anywhere near anything that has aspects of security aspects of systems and software.
  Good luck trying to find a manager that a) understands that, b) can identify the 10% vs the masses, c) is willing to pay that 10% what they're worth.
  Shit, the 50% of managers and "architects" and developers who create unscalable crap are long gone off to their next task before whatever they last created gets to the point of implosion.
3. Re:URLs? by BradleyUffner · 2013-03-27 14:10 · Score: 3, Interesting
  
  So basically they walked down the street checking door to see which ones were unlocked then looked inside the unlocked houses?
  It would be like walking down a street and peeking in to public restaurant to see what's on the menu.
4. Re:URLs? by wvmarle · 2013-03-27 20:35 · Score: 1
  
  These storage buckets are presumably meant to be private, not public. So the private houses analogy is much better than the public restaurant analogy here.
5. Re:URLs? by x3CDA84B · 2013-03-28 01:07 · Score: 1
  
  I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?
  In systems with URLs that contain some sort of object identifier, using a non-predictable identifier is a great way to add another layer of security. It doesn't replace actual authentication or authorization checks, it just complements them.
  For example, if I have a REST URL like this:
  http://someserver/users/ID
  If I use sequential numbers, or actual usernames as the identifier, it becomes trivial for someone to enumerate all of them by iterating through numbers, or a dictionary. However, if the ID is a 128-bit (or longer) random UUID, then that is no longer possible, because it would take millions of years. So even if I (as the developer) make a mistake that allows someone to view or change data that I shouldn't have access to, that attacker may not even get to the point of being able to exploit it, because they may not have any other valid UUIDs to work off of.
  This is why Microsoft moved towards using random/non-sequential identifiers for things like IIS website IDs and so forth in the early 2000s. It's one of the few choices of theirs I really agree with.
6. Re:URLs? by BradleyUffner · 2013-03-28 10:52 · Score: 1
  
  These storage buckets are presumably meant to be private, not public. So the private houses analogy is much better than the public restaurant analogy here.
  By default every bucket and file is marked as private. If something is marked as public then it has been explicitly marked that way by the user.
This just in... by girlintraining · 2013-03-27 11:26 · Score: 5, Interesting

People don't bother reading the manual. Then, everything explodes. How is this news? Please, find me a person in this industry who doesn't know what RTFM means. "Idiot who didn't RTFM exposes personal info." Those of us in the industry have a term for when things like this happen: Tuesday.
What'll be news is when they say "And then the manager and personnel responsible went to jail, because their idiocy cost tax payers millions in lost productivity spent fixing their credit reports and financial lives."

--
#fuckbeta #iamslashdot #dicemustdie
Hacking by Anonymous Coward · 2013-03-27 11:26 · Score: 1

I thought white-hat hacking was illegal unless you got the owner's permission...
1. Re:Hacking by PhamNguyen · 2013-03-27 12:16 · Score: 1
  
  It's ok, he's working for a company so it's a civil matter at worst.
What's the news here? by viperidaenz · 2013-03-27 11:28 · Score: 3, Funny

A billion out of a billion Facebook accounts are ripe for the plundering too. Just wait for the next feature change and the inevitable default setting of "public" applied to every account.
Will these guys get 41 months in jail too? by bennini · 2013-03-27 11:44 · Score: 3, Insightful

This sounds an awful lot like what Andrew Auernheimer did.

If the justice department or any company affected by this wants to, they could claim Computer Fraud and Abuse.
Yet somehow I doubt the "researches" will get any jail time.
Re:Morons Don't Read Slashdot by girlintraining · 2013-03-27 11:46 · Score: 4, Interesting

Amazon's Jeff Bezos must not give much direction to his crew about running things right.
The default policy is set to private and Amazon provides extensive documentation and support should customers wish to secure things properly. 5 out of 6 did, and think the sixth is a blithering idiot. How is Bezos responsible for the sixth guy shooting himself in the foot as when he was handed the gun it clearly said "Do not pull trigger while pointing at self."?

--
#fuckbeta #iamslashdot #dicemustdie
Public v. Private by DragonWriter · 2013-03-27 11:56 · Score: 1

Using a combination of relatively low-tech techniques and tools, security researchers have discovered that they can access the contents of one in six Amazon Simple Storage Service (S3) buckets whose owners had them set to Public instead of Private.

So, if you want your bucket to be private, you shouldn't actively set it to be Public instead of Private. Okay, I can see that, but I'm trying desperately to figure out how this is news.
Not a security hole by rgbrenner · 2013-03-27 12:08 · Score: 1

The default in s3 has containers set to private. The 'flaw' here is that public containers can be listed by anyone.
1) set container to public
2) shout loudly that the public can see inside your public container
I'm tempted to call the author a moron.
1. Re:Not a security hole by philip.paradis · 2013-03-27 15:55 · Score: 1
  
  It's not a problem with Amazon. The issue is with developers not bothering to think about what they're doing when they chuck data into buckets that are expressly set to public. It's potentially a very large problem for companies that expose sensitive customer information or things like access credentials in this manner. If you think I'm kidding about the latter, I'm not, having seen that happen.
  
  --
  Write failed: Broken pipe
S3 - MegaUpload... by linatux · 2013-03-27 12:19 · Score: 1

but with a crapier business plan?
Public Stores or Private Houses by Anonymous Coward · 2013-03-27 12:53 · Score: 1

So basically they walked down the street checking door to see which ones were unlocked then looked inside the open stores. These are marked public. They're public.
~orb
Re:Morons Don't Read Slashdot by Anonymous Coward · 2013-03-27 15:42 · Score: 4, Informative

> The default policy is set to private
It is now, but it wasn't in Dec 2006 when I first started using S3. I looked through my buckets, and all of them I created that month are all public.
Re:Morons Don't Read Slashdot by advocate_one · 2013-03-27 19:42 · Score: 1

where's my mod points when I need them... MOD parent up

--
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Duh... by Captain_Chaos · 2013-03-27 21:43 · Score: 1

"Public websites are public! News at 11!"
Slashdot has the same issue by TwentyCharsIsNotEnou · 2013-03-28 00:48 · Score: 1

Looks like Slashdot has the same issue.

For example, this. No user authentication required at all.
Not relevant to everyone by RevDisk · 2013-03-28 04:05 · Score: 1

I do weekly backups of my web servers to Amazon S3. I'm not overly concerned because I encrypt (AES-256) the tar files before upload.

While I admit, folks have their own priorities and needs... I only tend to trust "the cloud" for things that are public or well encrypted.