Jump to content

amazon cloud

  • Please log in to reply
2 replies to this topic

#1 techbeck


    It's not that I am lazy, it's that I just don't care

  • 20,791 posts
  • Joined: 20-January 05

Posted 27 March 2013 - 17:22

By not setting their cloud storage accounts to private, businesses and developers have been inadvertently allowing unauthorized parties to retrieve sensitive documents, images and other files previously believed to be inaccessible. According to Net Security, just by probing Amazon's S3 servers with automatically generated URLs for a number of major companies and websites, security researcher Will Vandevanter was able to discover 12,328 unique S3 "buckets," 1,951 of which were left open to the public.

Vandevanter was able to generate a list of 126 billion files

From those 1,951 buckets, Vandevanter was able to generate a list of 126 billion files. The sheer scale of data available made it impossible for it all to be analyzed, but from a sample of 40,000 publicly visible files, personal data belonging to a "medium-sized social media service" was accessed, as were car dealership sales records, affiliate tracking data, employee data spreadsheets, unencrypted database backups, and videogame source code from a mobile games developer. In total, 60 percent of files were images, but different social media sites were identified to be exposing user pictures and videos. In order to harvest the files, Vandevanter took a list of Fortune1000 companies and the top 100,000 Alexa websites and tested possible server address permutations on the amazonaws.com domain, before feeding them into Bing's Search API to identify if they were open.

Amazon sets S3 accounts to private by default, but buckets can be opened to the public manually or as a result of misconfiguration. Treating Vandevanter's research with a matter of urgency, Amazon has begun warning its users that their files might be publicly accessible, and is "putting measures in place to proactively identify misconfigured files and buckets moving forward."


Things are only as secure as the useres.

#2 Javik



  • 6,539 posts
  • Joined: 21-May 12

Posted 27 March 2013 - 18:12

User stupidity. The bane of a technician's life, and our biggest source of income at the same time.

#3 Detection


    Detecting stuff...

  • 8,369 posts
  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 27 March 2013 - 18:41

gamigo.com and forumcore.net got hacked and databases exposed recently too

And a few more