Six percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.
In a survey of 2,064 Google Cloud buckets by Comparitech, 131 of them were found to be vulnerable to unauthorized access by users who could list, download and/or upload files. Among the exposed data that the firm uncovered were 6,000 scanned documents that included passports, birth certificates and personal profiles from children in India. Another database belonging to a Russian web developer included email server credentials and the developer’s chat logs.
“Those buckets can contain confidential files, databases, source code and credentials, among other things,” wrote researcher Paul Bischoff at the firm, in a posting on Tuesday.
He added that uncovering exposed cloud databases is a trivial matter. In Google’s case, there are naming guidelines that make them easy to find. For example, Google Cloud database names must be between three and 63 characters, and contain only lowercase letters, numbers, dashes, underscores and dots, with no spaces; and, names must start and end with a number or letter.
“Our researchers were able to scan the web using a special tool available to both administrators and malicious hackers. They searched for domain names from Alexa’s top 100 websites in combination with common words used when naming buckets like ‘bak,’ ‘db,’ ‘database’ and ‘users,'” Bischoff explained. “Filtering based on the search input and the naming guidelines, they were able to find more than 2,000 buckets in about 2.5 hours. Our researchers noted they could likely improve their analysis to cover even more domains.”
With the list of buckets in hand, the researchers then went about checking if each one was vulnerable or misconfigured.
“This is where our researchers’ analysis stopped, but of course, an attacker could go much further. For example, an attacker could download all files in the bucket using the ‘gsutils’ command-line tool, an official tool from Google for managing buckets,” Bischoff warned.
While the analysis covered Google Cloud buckets only, the misconfiguration issue extends to other platforms; Amazon’s S3 buckets for instance are the most popular means for apps, websites and online services to store data in the cloud, and are also often found to be exposed.
“Given increased reliance on cloud hosted systems and decentralized systems, it is incredibly important that IT and security teams educate themselves on the various access control settings for the cloud services they use,” Joe Moles, vice president of customer security operations at Red Canary, said via email. “At the end of the day this is a symptom of immature IT hygiene. Most of this risk can be reduced through maturing processes to better track configuration, inventory, etc. Simply put: Better security through better IT.”
2020 has had its share of high-profile incidents. In September alone, an estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, had their private info exposed via a misconfigured Elasticsearch server. And, a misconfigured, Mailfire-owned Elasticsearch server impacting 70 dating and e-commerce sites was found leaking PII and details such as romantic preferences. Also this month, the Wales arm of the NHS announced that personally identifiable information (PII) of Welsh residents who have tested positive for COVID-19 was exposed, by uploading it to a public server.
Ryan Trost, CTO and co-founder of ThreatQuotient, said that the misconfiguration issue has worsened in the post-COVID-19, work-from-home world — and that cybercriminals are aware of this and are actively on the hunt for open databases.
“Businesses continue to place more and more data in the cloud, from personal details to intellectual property,” he said in a recent column. “The growing adoption of cloud-based solutions by businesses, whether for greater agility, data analytics or to support employees in accessing the data, for example when they were remotely or from home, also increases the risk of cloud attacks.”
He added, “Little did we know back then, almost 6 months ago, that the outbreak of COVID-19 would occur, creating the perfect storm for cyberattackers to take advantage of an incredibly disruptive period. Businesses were forced to adopt solutions at a rapid pace, potentially skipping usual protocols, and likely employee use of ‘shadow IT’ solutions. As more and more remote employees place vital data into the cloud, this creates more entry points that are vulnerable and open for cyberattackers to exploit.”