Google Cloud Buckets Exposed in Rampant Misconfiguration


Level 62
Thread author
Top poster
Content Creator
Apr 24, 2016
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis shows.

Six percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.

In a survey of 2,064 Google Cloud buckets by Comparitech, 131 of them were found to be vulnerable to unauthorized access by users who could list, download and/or upload files. Among the exposed data that the firm uncovered were 6,000 scanned documents that included passports, birth certificates and personal profiles from children in India. Another database belonging to a Russian web developer included email server credentials and the developer’s chat logs.

“Those buckets can contain confidential files, databases, source code and credentials, among other things,” wrote researcher Paul Bischoff at the firm, in a posting on Tuesday.

He added that uncovering exposed cloud databases is a trivial matter. In Google’s case, there are naming guidelines that make them easy to find. For example, Google Cloud database names must be between three and 63 characters, and contain only lowercase letters, numbers, dashes, underscores and dots, with no spaces; and, names must start and end with a number or letter.

“Our researchers were able to scan the web using a special tool available to both administrators and malicious hackers. They searched for domain names from Alexa’s top 100 websites in combination with common words used when naming buckets like ‘bak,’ ‘db,’ ‘database’ and ‘users,'” Bischoff explained. “Filtering based on the search input and the naming guidelines, they were able to find more than 2,000 buckets in about 2.5 hours. Our researchers noted they could likely improve their analysis to cover even more domains.”

With the list of buckets in hand, the researchers then went about checking if each one was vulnerable or misconfigured.

“This is where our researchers’ analysis stopped, but of course, an attacker could go much further. For example, an attacker could download all files in the bucket using the ‘gsutils’ command-line tool, an official tool from Google for managing buckets,” Bischoff warned.

While the analysis covered Google Cloud buckets only, the misconfiguration issue extends to other platforms; Amazon’s S3 buckets for instance are the most popular means for apps, websites and online services to store data in the cloud, and are also often found to be exposed.

“Given increased reliance on cloud hosted systems and decentralized systems, it is incredibly important that IT and security teams educate themselves on the various access control settings for the cloud services they use,” Joe Moles, vice president of customer security operations at Red Canary, said via email. “At the end of the day this is a symptom of immature IT hygiene. Most of this risk can be reduced through maturing processes to better track configuration, inventory, etc. Simply put: Better security through better IT.”

2020 has had its share of high-profile incidents. In September alone, an estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, had their private info exposed via a misconfigured Elasticsearch server. And, a misconfigured, Mailfire-owned Elasticsearch server impacting 70 dating and e-commerce sites was found leaking PII and details such as romantic preferences. Also this month, the Wales arm of the NHS announced that personally identifiable information (PII) of Welsh residents who have tested positive for COVID-19 was exposed, by uploading it to a public server.
Read the full story here at Threatpost: