A potentially devastating Amazon S3 bucket exposure left internal Accenture private keys, secret API data and other information publicly available to anyone who could then leverage it to attack the global consulting firm and its clients.
The exposure was privately reported to Accenture on Sept. 17 by researchers at UpGuard; Accenture secured the publicly available S3 buckets a day later.
“Taken together, the significance of these exposed buckets is hard to overstate,” UpGuard said in a report published today. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”
Researcher Chris Vickery found four unsecured, publicly downloadable servers, each accessible without authentication and simply by knowing the right URL. The data contained inside the bucket is a laundry list of company secrets that would certainly make Accenture’s 94 Fortune Global 100 clients wince in agony.
Vickery said the downloadable data included authentication credentials, digital certificates, decryption key and logs of customer data. The leak also exposed software used by Accenture’s Cloud Platform enterprise-level management service.
“There was no risk to any of our clients – no active credentials, PII or other sensitive information was compromised,” an Accenture spokesperson told Threatpost. “We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.”
Vickery and UpGuard have been among the firms looking for and disclosing similar leaks. In the past six months, numerous organizations across industries—from Verizon to Groupize to the Chicago voter roll—have sloppily left these S3 instances publicly accessible. The most damning aspect to these data leaks is that S3 is configured by default as private, requiring some kind of authentication to access the data stored therein. In each case, someone at the respective organizations has re-configured them to public.
“There is a lot of low-hanging fruit,” Vickery said in a recent Threatpost Podcast. Vickery said that Amazon dwarfs Microsoft and Google right now in terms of cloud storage market share which may skew the numbers of leaks in that direction. “If these buckets are set to public access, that means somebody at some point did something to make it that way. It’s not that Amazon did something wrong. Somebody who had administrative control over this data either made a decision to make it public, or didn’t realize what they were doing was going to make it public.”
Vickery added during the interview that many of these decisions are done for convenience-sake, for example removing the need for authentication in order for multiple parties to share access to the data in question.
“I see a lot of people cutting corners, plenty of people who say ‘I didn’t know that setting did that,'” Vickery said, adding that third-party utilities are also sometimes to blame and some organizations may not be aware of what exposure is left behind by those relationships. “It’s a really complicated new technology this cloud storage and computing, and there’s a whole lot of pressure on IT development people to do things on time, under budget and right.”
The four buckets each contained varied levels of sensitive information. One called acp-deployment stored internal access keys and credentials used by Accenture’s identity API used to authenticate credentials. There were also plaintext documents containing a master access key for Accenture’s account with Amazon Web Services’ Key Management Service. There were also private signing keys found in that bucket.
Another called acpcollector contained data related to the maintenance of Accenture’s cloud stores, including VPN keys for the company’s private network and a master view of its cloud ecosystem.
A third bucket called acp-software was the largest, and included database dumps featured Accenture client credentials, hashed passwords and 40,000 plaintext passwords in a separate backup. It also included access keys for Accenture’s Enstratus cloud management platform and data from its Zenoss event tracker system, including JSession IDs that could be plugged into cookies in order to bypass authentication.
The remaining bucket, acp-ssl, contained encryption key stores that provide access to a number of Accenture environments. The bucket also includes private keys and certificates that could be used to decrypt traffic between the company and its clients.
Enterprises must be able to secure their data against exposures of this type, which could have been prevented with a simple password requirement added to each bucket.
This article was updated Oct. 10 with a comment from Accenture.