The Daily Swig: “Hundreds of thousands of potentially sensitive files are publically available through open Amazon buckets, a new online tool can reveal. The free tool, created by software engineer GrayhatWarfare, is a searchable database where a current list of 48,623 open S3 buckets can be found. Amazon’s S3 cloud storage, or Simple Storage Service, is used by the private and public sector alike as a popular way to cache content. Files are allocated buckets, which are secured and private by default, but can easily be set for public access. While it is perfectly acceptable to set S3 buckets as available for all to read, numerous data breaches have been the result of an administrator’s misconfiguration. In March of this year, for example, an unsecured bucket at a US-based jewelry company resulted in the exposure of the personal details of over 1.3 million people, including addresses, emails, and IP identifiers. Bob Diachenko of Kromtech Security was the first to report the incident, and has helped create a tool aimed at detecting bucket permissions, similar to the one created by GrayhatWarefare.
“On the one hand, it [GrayhatWarfare’s tool] follows the same path as Shodan does,” Diachenko told The Daily Swig. “It gives researchers and the general audience a possibility to check if their infrastructure is safe. At the same time, it opens doors for ‘passwords-seekers’ and people with malicious intents to leverage upon data found in this ‘Semsem’ cave…”