GoDaddy Leaks ‘Map of the Internet’ via Amazon S3 Cloud Bucket Misconfig

Configuration data for GoDaddy servers could be used as a reconnaissance tool for malicious actors to uncover ripe targets.

UPDATE

GoDaddy, the world’s largest domain name registrar, has exposed high-level configuration information for tens of thousands of systems (and competitively sensitive pricing options for running those systems) in Amazon AWS, thanks to yet another cloud storage misconfiguration.

The documents were left exposed in a publicly accessible Amazon S3 bucket, and included configuration information for 24,000 systems within GoDaddy’s hosting infrastructure, including fields for hostname, operating system, workload (i.e., what the system was used for), AWS region, memory, CPU specs and more.  The bucket, named abbottgodaddy, was found June 19 by UpGuard, which said the information contained within represented a detailed map to a large portion of the internet.

“Essentially, this data mapped a very large-scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages and other calculated fields,” said UpGuard Cyber Risk Team researchers, in a posting on the issue late last week.

GoDaddy has 17.5 million customers and 76 million domain names, according to its website, and is one of the largest SSL certificate providers.

“GoDaddy is a critical part of internet infrastructure, and their cloud utilization operates at one of the largest scales in existence,” said UpGuard analysts, who said that GoDaddy secured the database as soon as UpGuard alerted the company to the issue. “One could arguably say that GoDaddy hosts a fifth of the internet.”

Given the scale, UpGuard looked into the potential consequences of the exposure, and found two main problems: For one, the configuration data of the GoDaddy servers could be used as a reconnaissance tool for malicious actors; and two, the data could be used by competitors to gain knowledge about GoDaddy’s cloud hosting strategy and pricing.

On the first point, the information included would have been very useful to bad actors, allowing them to select targets based on their role, probable data, size and region.

“The workload column particularly would help point attackers in the right direction, highlighting which systems serve more important functions and likely house important data,” UpGuard researchers explained. “While not directly providing credentials or exposing sensitive information stored on these servers, exposures of configuration details for digital infrastructure can provide a stepping stone to attacks that do access such information.”

Also included were what appear to be GoDaddy’s discounts from Amazon AWS.

“[This is] usually restricted information for both parties, who must negotiate for rates – as do GoDaddy’s competitors,” the analysts noted. “Competitors, vendors, cloud providers and others would all be interested to know how the largest domain host in the world handles their cloud expenditures. At the scale of Amazon AWS and GoDaddy, negotiations over a percentage point or two are critical, as it can mean a difference of millions of dollars a year.”

Amazon’s S3 storage buckets are private by default, but simple configuration errors have led to a raft of public disclosures over the last few years, and they continue to be critical contributors to data breach statistics.

Interestingly, in this case, AWS itself was the culprit.

“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” a spokesperson told Threatpost. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”

This post was updated at 4:58 Eastern to include a comment from Amazon Web Services.

Suggested articles