Industry News

Amazon Simple Storage Buckets Leak Owner’s Data

Image credits: Pixabay / Ryan McGUire

Almost 2,000 storage buckets from cloud provider Amazon are inadvertently exposing confidential user data due to improper configuration by the customer, according to a study by Metasploit vendor Rapid7.

Buckets are logical storage containers that companies use for purposes from mirroring downloads to storing office documents or local backups. They can be set as either public or private, and access to the files is granted as such. If they are set as public, the bucket’s contents can be listed and accessed by anyone who knows the URL of the bucket. The URL can easily be deduced as it follows a predefined format (such as[bucket_name]/ or http://[bucket_name], it’s easy to predict the bucket’s URL by running names in a dictionary, for instance.

“From the 1,951 public buckets we gathered a list of over 126 billion files,”wrote Rapid7’s Will Vandevanter in a blogpost. “The sheer number of files made it unrealistic to test the permissions of every single object, so a random sampling was taken instead. All told, we reviewed over 40,000 publicly visible files, many of which contained sensitive data.”

The files found contained critical information about their owners and customers, including sales records, employee information, database backups or source code for video games and websites. The Rapid7 study reveals that you can rely on cloud storage to keep your assets, but it can’t (yet) protect you from yourself. If you use Amazon’s Simple Storage Service, take a moment to revise the security status of your buckets and the permission levels set individually per files.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.