Wednesday, March 27, 2013
(W) Amazon leaking data found by one Thoughtful Hacker in July 2012
Recent press by Rapid7 on Amazon S3 Buckets leaking data was first shared with me by my partner Ian. In June/July of last year he was working on a side project and found some disturbing information with me.
I wanted to share his findings as Rapid7 missed something. Here is his comments to me.
"OK, here are some additional details that I didn't see touched upon. I've been keeping this one quiet within the community, but since Rapid7 broke it, might as well...
Back in June of last year I was working with an Amazon EC2 instance and something caught my eye. I made a mental note to come back and check it out. I did later and found a whopper.
In EC2 you can create additional S3 drives. When you go through that process, you can select a "public" image to use. Just by scrolling through the list, some of these looked like they shouldn't have been public. I later came back and started examining them manually. The first one I tried was pretty significant. Let's just say it was a company that has a fondness for a type of dog and the color red. 'Nuff said. There were tons of email addresses, SSH keys, and so forth all over this.
So I went to work writing a utility for scraping called Snoop.py so I could pull out and analyze more of this stuff and see what the common thread was. As you found, there is lots of stuff exposed on there that shouldn't be.
Now, here's where it gets really interesting.
I found that most, but NOT ALL, of the "public" drives were configured as "public". That is, there was a clear subset that were NOT marked as being public. And I found a really easy way of seeing this in the Amazon portal. Here's how it works. If you go to the S3 side of the house and go to the option where you can see all public images in a list, take a copy of that list. Now, go to where you would create a new drive and attach an image. Take a copy of that, and compare. Back in July through probably September, if you did this you would have a discrepancy -- you could attach to more drives that weren't yours than you could see on the public list. And, these were the most, let's say, juicy.
I let some folks know and made attempts to contact others. At some point, sometime around or after September, it seems those "extra" drives disappeared from view and things went back to normal.
Although clearly people still are leaking data. But I suspect, but have no hard proof, that there was something else wrong in the cloud."
Ian and I got side tracked with malware work, but planned to get back to it. Since Rapid7 released the info,it only seemed right to release this info.
Got leaky storage?
Rapid 7 article on data leaking S3 buckets