

There's a Hole in 1,951 Amazon S3 Buckets - techinsidr
https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets

======
richardv
This is all really obvious though...

The title and the first 80% of the article is written to allow a casual reader
to infer that there is a problem with S3... simply put this isn't the case,
and through brute force guessing the researchers were able to find some
publicly accessible files containing sensitive information in a bucket...
(assuming of course that the bucket owner didn't intend for the bucket to be
public in the first place?)

This really isn't restricted or exclusive to just S3 buckets.. if you randomly
hit enough web accessibly URLs you'll find confidential/sensitive material
else where as well. People might feel slightly more confident or relaxed in
what they store on S3, but the author doesn't make any convincing points to
suggest this.

The findings are on a par with research such as "eating fatty food causes
heart problems", or "exercise is good for you"... or "Amazon S3 service used
as intended causes pages to be publicly accessible"...

If the Summly could do research TL;DRs as well, it would be, "S3 buckets set
to public are accessible to anyone".

~~~
malandrew
True. However, there is value in a company like Amazon licensing or creating
their own suite of tests like those performed by this researcher that would
warn users if they are likely exposing files publicly that they probably
shouldn't be exposing. e.g. "We found that the following files appear to
contain password data and are publicly viewable. Are you sure you want these
files to be listed publicly?

~~~
res0nat0r
AWS actually already does proactively monitor and send out alert emails to
customers who have LIST enabled to Everyone on their S3 buckets, which is a
good thing.

------
NathanKP
I remember at some point when I was still a newbie with S3 I originally had
the permissions for my company's S3 bucket too open. Even though it was a
public bucket, containing image assets which were intended to be distributed
publicly over the internet, I was allowing the LIST operation to be made
against the bucket. Amazon actually sent me an automated warning email that I
should remove public LIST permissions from the bucket, because allowing LIST
operations could result in high S3 usage charges if someone started crawling
our S3 bucket.

Removing public LIST access not only prevents charges from accruing from LIST
operations but also allows you to keep your S3 resources semi-private even in
a public bucket, by using hard-to-guess private URL's. Going to the root of
the bucket no longer shows the list of files, instead it just shows an Access
Denied message.

I don't know if Amazon still sends out the automated message, but if they do
then those 1,951 open buckets are from people who either ignored the warning
or couldn't figure out how to follow Amazon's instructions on how to fix the
vulnerability.

~~~
IheartApplesDix
Amazon uses a Wizard-type agent at certain support levels that scans your
setup and builds you a report of everything you can save money on and security
issues, etc.

<http://aws.amazon.com/premiumsupport/faqs/#TAwhat>

------
themartorana
Careful. You don't want to go to jail for telling people about open, public
information on the Internet that you accessed just by going to a URL.

~~~
peterwwillis
Though overly snarky, you have a great point. Wasn't Weev just sent to jail
for exactly this? Doing http gets against "guessed" URLs without
authorization?

~~~
BoyWizard
No, he went to jail because after that, he wrote a script, scraped through all
the URLs and collected private information, then bragged in IRC about stuff he
could do with it.

------
gregd
"It should be emphasized that a public bucket is not a risk created by Amazon
but rather a misconfiguration caused by the owner of the bucket."

So not really a hole so much as it's configured that way. Title implies that
this is a breach of some kind, which it's not.

~~~
roberto
Yeah, what's the point of this article? Public buckets are public, who would
guess?!

~~~
techinsidr
Seems to be really about misconfiguration and serving as a reminder for
developers to check permissions on AWS buckets. While some data is obviously
stored in public bucks for a reason, it's clear that much of the data Rapid7
was able to find in the "open" buckets was not intended to be made available
to the public. It's not a security flaw with AWS, but an administrative
oversight really, but at least a good reminder for everyone to go check their
buckets :)

------
SwaroopH
Also, AWS usually notifies the account owners in such cases. I remember
getting at least 3 such emails across all the AWS accounts I have been an
owner of.

------
iuguy
Interestingly enough, how do rapid 7 think that they're able to do this sort
of thing? It goes against Amazon's terms of service and AUP, not to mention
against the people who have the data in insecurely configured buckets. In
light of Weev's sentencing and the sad case of Aaron Swartz, is there one law
for security companies and one law for individuals?

I appreciate that one can say they're carrying out important research, but did
they notify the people with open buckets or are they more interested in PR?

------
gregcmartin
There is a hole in your s3 bucket dear Liza

~~~
pekk
I am going to guess you were downvoted for totally screwing up the meter.

