Using a combination of relatively low-tech techniques and tools, security experts from Rapid 7 broke into one in six Amazon Simple Storage Service (S3) buckets. Those contents range from sales records and personal employee information to source code and unprotected database backups. Much of the data could be used to stage a network attack, to compromise users’ accounts, or to flog on the black market.
From 2,000 buckets from which they gathered a list of more than 126 billion files. They reviewed over 40,000 publicly visible files, many of which contained sensitive information. According to Rapid 7 Senior Security Consultant Will Vandevanter a list of files and the files themselves can reveal sensitive information.
He said that the worst-case scenario is that a bucket has been marked as 'public' exposes a list of sensitive files, and no access controls have been placed on those files.
"A public bucket will list all of its files and directories to any user that asks."
He said that this is not a security hole in Amazon's storage cloud. But Amazon S3 account holders failed to set their buckets to private. Doh.