Rapid7 has released information about a misconfiguration in Amazon’s Simple Storage Service (S3) that many organisations have their buckets (where the data is stored) made available to the public.
During Rapid7’s research they reviewed the permissions of approximately 13,000 Amazon S3 buckets and uncovered the following:
- Many large companies are represented in the list of publicly exposed buckets
- More than 28,000 PHP source files were identified. Some contain details such as database usernames, passwords, and API keys
- The most common exposure was through log backups that were left globally accessible
- Over 218,000 CSV files were identified, many of which expose personal information such as names, email addresses, and phone numbers
- Many of the documents identified were clearly marked as confidential or obviously private in nature. In other instances, the exposed data included log files and service data that exposed sensitive details about the organization and their customers
Some examples of the information they found included:
- Personal photos from a medium-sized social media service
- Sales records and account information for a large car dealership
- Unprotected database backups containing site data and encrypted passwords
- Video game source code and development tools for a mobile gaming firm
- Sales “battlecards” for a large software vendor
- Employee personal information and member lists across various spreadsheets
In response to this research, Rapid7 worked with Amazon to disclose this misconfiguration. Rapid7 has also created an extensive blog post explaining this research here. Let me know if you'd like to speak to someone from Rapid7 on this?