Amazon S3 Buckets Left Unsecured One-Sixth Of The Time, Researcher Discovers

Will Vandevanter of security firm Rapid 7 has discovered that a sixth of all Amazon Simple Storage Service (S3) buckets have been left open to public viewing.

The study also found that a number of the buckets that were left open for public viewing contain sensitive data. Some of that data includes source code for mobile games, user log-in details, and various other files containing personal information.

Vandevanter used a script to generate URLs based on the names of businesses that use Amazon S3. The study found 12,328 buckets of which 10,377 were listed as private and not viewable. The study also found 1,951 buckets that were not public but had 1,000 objects stored in each which were viewable.

According to the study, personal information in public buckets ranged from “personal photos from a medium-sized social media service” to “employee personal information and member lists across various spreadsheets.”

In one file, the security expert found PHP source code that contained configuration files that included usernames and passwords.

Approximately 60 percent of found files were images, while several confidential and private text-based documents were also discovered during the investigation.

Amazon defaults S3 buckets to the private setting. Those buckets become public when altered by users, either by accident or on purpose.

Because users may accidentally turn an entire bucket public when they only meant to include a small subset of files, Amazon is taking additional steps to warn Amazon S3 customers about private to public bucket settings.

Security concerns from data centers, web providers, and other sources have increased over the last year. In this case, it appears to be user error causing problems with Amazon S3 service.

In the meantime, remember to regularly change your personal passwords and use different passcodes for different services. Then again, if your information is just thrown out into the public sphere, those passwords won’t matter.

Are you becoming increasingly concerned about your private data being exposed by online hackers and researchers?