A rash of misconfigured Amazon Web Services storage servers leaking data to the internet have plagued companies recently. Earlier this week, data belonging to anywhere between six million and 14 million Verizon customers were left on an unprotected server belonging to a partner of the telecommunications firm. Last week, wrestling giant World Wide Entertainment accidentally exposed personal data of three million fans. In both cases, it was reported that data was stored on AWS S3 storage buckets.
Reasons why this keeps on happening vary. But, Detectify Labs believes many leaky servers trace back to common errors when it comes to setting up access controls for AWS Simple Storage Service (S3) buckets.
In a report released Thursday, Detectify’s Security Advisor Frans Rosén said network administrators too often gloss over rules for configuring AWS’ Access Control Lists (ACL) and the results are disastrous.
“By identifying a number of different misconfigurations we discovered that we could suddenly control, monitor and break high-end websites due to weak configurations of the bucket and object ACLs,” Rosén wrote.
Rosén maintains there is a bug in AWS servers that allows attackers to identify the name of S3 buckets. Next, an adversary can use the bucket name information and an AWS Command Line tool to talk to Amazon’s API.
If done correctly, he said, the attacker can gain access to the S3’s list and read files. The adversary can also write and upload files to the S3 bucket or they can change access rights. All this can be done, he said, without the S3 hosting company ever noticing.
Attackers are able to gain this access because of a common misconfiguration of AWS S3’s Access Control Lists, researchers said. Too often network administrators grant users too much user permission when it comes to accessing S3 buckets, allowing anyone with the AWS credentials to access sensitive data.
“Having the access control set to ‘AuthenticatedUsers’ means ‘anyone with a valid set of AWS-credentials’ which is basically something you can get from signing up for AWS yourself. Having that access control is basically similar to ‘AllUsers’, since anyone can register to get an AWS-account. Our theory here is that people accidentally confuse Authenticated with Authorized when seeing this access control option,” Rosén said to Threatpost.
If the S3 bucket is misconfigured, the only thing needed is the name of the bucket. With the name, an attacker would be able to query AWS and ask for the AWS command line interface, he said.
Of course, discovering S3 bucket names can be tricky. To that end, Detectify said its research proved it’s not difficult to identify bucket names and the company’s they belong to. Researchers said there are many different ways to force S3-buckets to reveal themselves. One includes looking at the HTTP-response for a server-header that reads “AmazonS3.” Others are listed in its technical breakdown of its research.
According to Amazon, this is not a bug. Rather AWS told Detectify that what they demonstrated is that AWS S3 servers can leak data if they are not configured properly. Amazon added, that it was not likely to mitigate against user errors, Rosén said.
To be clear, Rosén said he can’t be sure if the leaky Verizon server or the California auto loan firm suffered from the same misconfiguration problem. But, he said Detectify researchers found 40 companies in total had different issues of access control when it came to misconfigurations of buckets.
In a separate study by Rhino Labs, where it tested 10,000 AWS S3 buckets used by Alexa top 10,000 sites, found 107 S3 buckets (1.1 percent) were misconfigured.
Solving the problem is easy. AWS offers tools to change privileges on buckets and lock down access.
