There’s a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets

Cloud storage services represent an efficient storage solution for a variety of use cases. In fact, such services allow even non skilled users to benefit from fast, reliable and easy-to-use storage. However, this comes with privacy concerns due to the possibility of involuntary data exposure. In fact, very often managing access-control at scale is particularly hard, as the size and complexity rapidly increases, especially when such policies are underestimated. This has a strong impact not only on privacy, but also on security, and often causes dangerous misconfigurations. In this paper, we investigate the usage of Amazon S3, one of the most popular cloud storage services, focusing on automatically analyzing and discovering misconfigurations that affect security and privacy. We built a tool that performs security checks of S3 buckets in a completely unattended way, without storing nor exposing any sensitive data to the analyst. This tool is intended for developers, end users, enterprises, and any other organization that make extensive use of S3 buckets. We validate our tool by performing the first comprehensive, large-scale analysis of 240,461 buckets, obtaining insights on the most common mistakes in the access policies. The most concerning one is certainly the (unwanted) exposure of stor age buckets, because these could be leaking sensitive data such as private keys, credentials and database dumps, or allow attackers to tamper with their resources. To raise awareness on the risks and help users to secure their storage services, we show how attackers could exploit unsecured S3 buckets to deface or deliver malicious content through websites that relies on S3 buckets, identifying 191 vulnerable websites. Finally, we propose a mitigation to protect end-users from such vulnerable websites by designing a browser extension that prevents the browser from loading resources hosted in unsecured buckets.