Personal information that is not encrypted is rolling on Amazon's cloud


ByMartinak 15

Cloud storage provided by Amazon Web Service "Amazon S3It is pointed out that there is a risk that personal information can be accessed from the guessable URL in ".

Thousands of Amazon S3 buckets left open exposing private data
http://www.net-security.org/secworld.php?id=14669


This is a security software companyRapid 7Security researcher of Will Vandevanter pointed out.

Amazon S3 is an unrestricted online storage service that is useful for keeping a variety of things, from server backups to logs, to publicly available site images and PDF files. In the service, the files are stored in containers called "buckets", each given an arbitrary URL.

ByCubosh

Access control can be performed separately for this bucket itself and individual files and folders in the bucket respectively. If the bucket is "public", anyone can see the list of contents stored in it, but if it is set to "private", only a specific user can see it.

It is very easy to find out whether a bucket is public or private. Bucket URL defaults to
·http://s3.amazonaws.com/[bucket_name]/
·http://[bucket_name].s3.amazonaws.com/
Just access it by entering the URL directly.

If it is a bucket that is set to private, the message "access is denied" is displayed and the contents of the bucket are not displayed, but if it is public, the list of the top 1000 of the content in the bucket is displayed It shows. If it is a public bucket and the file is in a downloadable state, there is the possibility that personal information will leak from it.

ByLindyi

The worst case pointed out by Mr. Vandevanter is when the bucket is in public setting and the list of files that need attention to handling leaked out and access control has not been done for those files. Even when access control to the file was done, information such as the file name and how often it is being backed up will be leaked.

About the problem of "public bucket", freelance security testerRobin WoodSan had investigated, according to the results, of the 12,328 buckets, the public was 1951 and the private was 13,77. In other words, there are roughly six buckets open.

From this 1951 public bucket I got a list of over 126 billion files. Among them, when examining about 40,000 files that could see the contents, the following information was included.
· Personal photos posted on medium social media services
· Major car dealer account information and sales record
· Advertising company client's account information and data such as affiliate tracking information and CTR
· Various spreadsheets such as employee's personal information and membership list
· Database backup of unprotected state including website data and encrypted password
· Mobile game development company development tools and game source code
· PHP source code with configuration file including user name and password
· Battle card sales of major software companies


Approximately 60% of the files are pictures and images, some of the social media posted photos and movies were exposed. Also, there are over 5 million text files, some of which include credentials (credentials).

ByLuc legay

By the way, if you create a bucket with Amazon S3, the default is set to private, so Vandevanter makes public a bucket and publishes it, the file in it should be really public I advise that I want you to set it after considering whether or not.

in Note,   Web Service, Posted by logc_nt