An investigation into Amazon's Simple Storage Service (S3
) discovered a sixth of data stores, known as buckets, on the service are left open to public viewing. Further examination showed that a number of items on open display were of a sensitive nature, including source code for mobile games, user log-in details, and various other items of personal information.
The investigation by Will Vandevanter of security firm Rapid 7
, published by Help Net Security
, used a script to generate URLs based on the names of businesses that use Amazon S3, discovering 12,328 buckets in total. While 10,377 buckets were listed as private and not viewable, 1,951 were not only public, but the service provided a list of the first 1,000 objects stored in each discovered bucket.
Data recovered from the public buckets ranged from "personal photos from a medium-sized social media service," to "Employee personal information and member lists across various spreadsheets." PHP source code found in one bucket contained configuration files that held usernames and passwords. Roughly 60-percent of the file listings were of images, with a number of found text-based documents using the term "Confidential" or "Private" in various parts.
By default, Amazon S3 sets buckets to be private. By the nature of buckets becoming public, it had to be altered by the owner of the bucket, be it on purpose or by accident. Even so, Amazon is taking steps to warn users about the issue, as well as working to identify misconfigured buckets in the future.