Bleeping Computer reports that researchers looked into the settings of Amazon S3 servers... and found that the default setting is open (configured to allow public access),
This means that anyone with a link to the S3 server could access, view, or download its content.
Sure, you still need to have the unique link... but there's stuff on Github that enables you to to "enumerate Amazon S3 buckets" - i.e., get at the secret links. So yeah....
According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.
oops.
(Score: 0) by Anonymous Coward on Tuesday September 26, @07:11PM (1 child)
You need a 'researcher' for looking at a setting? Where can I get my lab-coat, because I'm a researcher too...
(Score: 0) by Anonymous Coward on Tuesday September 26, @07:33PM
You will be dragged away in overly tight handcuffs after being body-slammed to the ground, kicked, and beaten. Only an elite few are called "researcher" and allowed to look for cracks in the e-pavement without retribution. Nobody knows who these people are. Cynically I believe they don't exist; it's all part of a clever plot, the mechanics of which are beyond my simple-mindedness.
(Score: 4, Interesting) by nobu_the_bard on Tuesday September 26, @07:23PM
93% of them then are locking it down! That should be the headline! People less stupid than anticipated!
(Score: 2) by bob_super on Tuesday September 26, @07:38PM (1 child)
If it's left open, then it's not a breach.
It's trespassing, not "breaking and entering".
(Score: 0) by Anonymous Coward on Tuesday September 26, @07:55PM
Considering it's a public server on the WWW I think you'd have a pretty hard time arguing that it was trespassing.
Many of the people setting up the buckets probably don't care. I would guess easily 7% of S3 buckets are used for irrelevant toy projects or testbeds.
(Score: 3, Informative) by rigrig on Tuesday September 26, @07:49PM
From the docs [amazon.com]
or as a link from TFA states [acloud.guru]
And unless I'm mistaken, aren't some people using these things to host Stuff, and they actually want said Stuff to be accessible by everybody? That could explain 6.99% (plus 0.01% incompetents making private data world-readable.)
What's next? "Security researchers determine 89% of all websites publicly accessible!" (I'm just wildly making up the numbers of 10% internal websites, 1% misconfigured servers.)
No one remembers the singer.
