By not setting their cloud storage accounts to private, businesses and developers have been inadvertently allowing unauthorized parties to retrieve sensitive documents, images and other files previously believed to be inaccessible. According to Net Security, just by probing Amazon's S3 servers with automatically generated URLs for a number of major companies and websites, security researcher Will Vandevanter was able to discover 12,328 unique S3 "buckets," 1,951 of which were left open to the public.
Vandevanter was able to generate a list of 126 billion files
From those 1,951 buckets, Vandevanter was able to generate a list of 126 billion files. The sheer scale of data available made it impossible for it all to be analyzed, but from a sample of 40,000 publicly visible files, personal data belonging to a "medium-sized social media service" was accessed, as were car dealership sales records, affiliate tracking data, employee data spreadsheets, unencrypted database backups, and videogame source code from a mobile games developer. In total, 60 percent of files were images, but different social media sites were identified to be exposing user pictures and videos. In order to harvest the files, Vandevanter took a list of Fortune1000 companies and the top 100,000 Alexa websites and tested possible server address permutations on the amazonaws.com domain, before feeding them into Bing's Search API to identify if they were open.
Amazon sets S3 accounts to private by default, but buckets can be opened to the public manually or as a result of misconfiguration. Despite issues being no more than user error, Amazon is treating Vandevanter's research with a matter of urgency and has begun warning its users that their files might be publicly accessible, "putting measures in place to proactively identify misconfigured files and buckets moving forward."