Cloud security

Misconfigured S3 buckets expose residents’ data in more than 80 US municipalities

Visitors arrive at the cloud pavillion of Amazon Web Services at a technology trade fair on March 14, 2016, in Hanover, Germany. Misconfigured S3 buckets compromised the physical addresses, phone numbers, IDs, and tax documents of local residents in more than 80 U.S. cities, researchers found. (Sean Gallup/Getty Images)

Researchers earlier this week found misconfigured Amazon S3 buckets holding the data of more than 80 U.S. cities, mostly in New England.

A blog post by ethical hackers WizCase said the misconfigured S3 buckets held more than 1,000 gigabytes of data and more than 1.6 million files.

The breach compromised the physical addresses, phone numbers, IDs, and tax documents of local residents. The researchers said because of the large number and various types of unique documents, it was difficult to estimate the number of residents exposed. 

The WizCase researchers said more than 100 U.S. cities appeared to use the same product, mapsonline.net, marketed by PeopleGIS. The researchers said their scanner found 114 Amazon S3 Buckets that were named after the same pattern, which is how they made the connection to PeopleGIS. Among the 114, some 28 were properly configured — meaning they weren’t accessible — and 86 were accessible without any password or encryption.

WizCase said it reached out to PeopleGIS and the misconfigured buckets have since been secured.

Massachusetts-based PeopleGIS specializes in information management software. Many municipalities in Massachusetts and a few in other New England states such as Connecticut and New Hampshire also use the PeopleGIS software.

Now, some 80 U.S. municipalities join the long list of organizations that have suffered a data breach or vulnerability as a result of a misconfigured open S3 container, said Ryan Davis, senior manager, cloud at ExtraHop. Davis said there have even been cloud-native companies like Uber that have fallen to this common misconfiguration.

“The worst part of all this is that it could have been avoided because it’s a simple failure of process and technology, but has cost companies millions of dollars and done irreparable damage to reputations,” Davis said. “The default configuration for S3 is closed to the public internet. With that default configuration, it's reasonably secure. But the problem with relying on this configuration is that it assumes that only people within the organization are using it. However, it’s actually very easy to misconfigure S3 in such a way that it's left open to anyone.”

Mohit Tiwari, co-founder and CEO at Symmetry Systems, said S3 buckets and data object policies are complex and easy to get wrong. He said they are complex because AWS has created several iterations of permissions over the years, and also because product teams have to ship quickly and security decisions are not revisited, especially in smaller organizations without dedicated cloud-security teams.

“At the same time, organizations, such as Netflix and others, demonstrate and share great open-source tools to create infrastructure with best security practices built-in,” Tiwari said. “The good news for organizations is that small investments in creating a 'paved path' for their product teams is likely to reduce their attack surface significantly, without slowing them down.”

Max Henderson, manager of incident response at Pondurance, added that in addition to accidentally exposing S3 buckets through misconfiguration, they commonly see that organizations have not enabled the necessary auditing of the affected S3 buckets to determine if unauthorized access occurred and to what extent.

“Per AWS documentation, CloudTrails logs should be sent to an S3 bucket for long-term retention. Additionally, S3 Bucket Access logging is not enabled by default and must be configured by the administrator of the instance.”

prestitial ad