Here’s a useful tip we hope everybody would remember always: when opening new online accounts on any website or service, start off by setting it to private (and don’t change any default settings right away) – that way, accidentally leaking information that’s supposedly inaccessible is far less likely to happen (there are always security breaches, but that’s another story). That’s a lesson many business owners and developers may have to learn the hard way since Net Security uncovered that some of Amazon’s S3 data buckets were vulnerable, leaving almost 126 billion files unprotected.
Will Vandevanter, a security researcher at Rapid7, was the one who discovered the potential issue. In his blog post on Net Security detailing his findings, he says that out of 40,000 visible files that he sampled – 126 billion is too high a number to completely study – the types of data that were accessed included source code for a video game owned by a mobile game developer, database backups that have no encryption, spreadsheets containing employee information, affiliate tracking results, sales records from a car dealership, and personal user information from a social media service. Although 60 percent of exposed files were images, various social media sites were revealed to be guilty of leaving user-uploaded photo and video content unprotected.
Users backup their files into S3, where it is sorted into “buckets” that are given their own URLs. Much like setting up permissions to a folder with files on your computer’s home directory, users can fix access settings on the bucket (folder) or the files individually.
If there’s one thing Vandevanter’s report proves, it’s that it’s very easy to find out if a bucket has public access or not – a quick enter of a public bucket’s URL will list the first thousand files found within.
Don’t blame Amazon for this, though; this is not their fault but rather “a misconfiguration caused by the owner of the bucket,” says Vandevanter. By default, Amazon S3 buckets are set to private unless the user modifies it to allow public access.
In addition to publishing an advisory on proper data protection to help their users, Amazon is also “putting measures in place to proactively identify misconfigured files and buckets moving forward” as a response to Vandevanter’s probe, according to The Verge.