Slashdot Mirror

← Back to Stories (view on slashdot.org)

One In Six Amazon S3 Storage Buckets Are Ripe For Data-Plundering

Posted by samzenpus on from the ripe-for-the-picking dept.

tsamsoniw writes "Using a combination of relatively low-tech techniques and tools, security researchers have discovered that they can access the contents of one in six Amazon Simple Storage Service (S3) buckets whose owners had them set to Public instead of Private. All told, researchers discovered and explored nearly 2,000 public buckets, according to Rapid 7 Senior Security Consultant Will Vandevanter, from which they gathered a list of more than 126 billion files, many of which contained sensitive information such as source code and personal employee information. Researchers noted that S3 URLs are all predictable and public facing, which make it that much easier to find the buckets in the first place with a scripting tool."

10 of 79 comments (clear)

  1. I think it's booty by alphatel · · Score: 5, Funny

    You have done an excellent job of revealing the very loose fabric of the internet, especially those that would not set their own security properly. However, under current law, you have violated so many laws, with so many more to come, that your best way out is to stand on the last iceberg in the Arctic and hope it does not melt anytime soon. Just to clarify, here's a few of the things you've clearly done, and I don't even have to prove them.

    Access and distribution of pornography (surely one of those buckets was full of porn, a felony in 20 countries)
    Access and distribution of child pornography (well at least one of those buckets has it, or did, or will one day)
    Failure to report a bucket full of child pornography
    Conspiracy to distribute
    Hacking every country in the world... let me explain, no wait let me sum up.
    Amazon has storage in 193 countries
    By accessing one you have violated the statutes of every country attacked
    This is basically punishable by the rest of your life in prison in every country, except the Vatican, which will send you to hell.
    So now you are going to hell, after spending the rest of your life kissing bubba's pants
    Unauthorized access (fines from Amazon, billions $$$$ ($100,000 per bucket per country, ouch!)
     Future crimes (as the future is soon you are already guilty of:
    Discussing a hacking attempt
    Intent to hack
    Intent to exploit, list exploits, financially gain from exploits

    I can't type anymore, and there's no doubt as far as most governments are concerned I'm as guilty as you are by now.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:I think it's booty by WallaceAndGromit · · Score: 4, Informative

      Did it? I'm not so sure...

      http://yro.slashdot.org/story/13/03/18/1641221/41-months-in-prison-for-man-who-leaked-att-ipad-email-addresses

      --
      Name: Mr. Anon E Mouse; SSN: 555-55-5555
    2. Re:I think it's booty by PRMan · · Score: 3

      Tell that to weev. He'll be available to talk to you in 41 months.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  2. URLs? by K.+S.+Kyosuke · · Score: 3, Insightful

    "Researchers noted that S3 URLs are all predictable and public facing"

    I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?

    --
    Ezekiel 23:20
    1. Re:URLs? by BradleyUffner · · Score: 3, Interesting

      So basically they walked down the street checking door to see which ones were unlocked then looked inside the unlocked houses?

      It would be like walking down a street and peeking in to public restaurant to see what's on the menu.

  3. This just in... by girlintraining · · Score: 5, Interesting

    People don't bother reading the manual. Then, everything explodes. How is this news? Please, find me a person in this industry who doesn't know what RTFM means. "Idiot who didn't RTFM exposes personal info." Those of us in the industry have a term for when things like this happen: Tuesday.

    What'll be news is when they say "And then the manager and personnel responsible went to jail, because their idiocy cost tax payers millions in lost productivity spent fixing their credit reports and financial lives."

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. What's the news here? by viperidaenz · · Score: 3, Funny

    A billion out of a billion Facebook accounts are ripe for the plundering too. Just wait for the next feature change and the inevitable default setting of "public" applied to every account.

  5. Will these guys get 41 months in jail too? by bennini · · Score: 3, Insightful

    This sounds an awful lot like what Andrew Auernheimer did.

    If the justice department or any company affected by this wants to, they could claim Computer Fraud and Abuse.
    Yet somehow I doubt the "researches" will get any jail time.

  6. Re:Morons Don't Read Slashdot by girlintraining · · Score: 4, Interesting

    Amazon's Jeff Bezos must not give much direction to his crew about running things right.

    The default policy is set to private and Amazon provides extensive documentation and support should customers wish to secure things properly. 5 out of 6 did, and think the sixth is a blithering idiot. How is Bezos responsible for the sixth guy shooting himself in the foot as when he was handed the gun it clearly said "Do not pull trigger while pointing at self."?

    --
    #fuckbeta #iamslashdot #dicemustdie
  7. Re:Morons Don't Read Slashdot by Anonymous Coward · · Score: 4, Informative

    > The default policy is set to private

    It is now, but it wasn't in Dec 2006 when I first started using S3. I looked through my buckets, and all of them I created that month are all public.