14 DAY TRIAL // Amazon's cloud has been great for companies big and small, they no longer have to pay huge sums to house on-premises data centers that get little usage. With Amazon Web Services, they've been able to move all of their work into the cloud.
Unfortunately for many, they've also moved their subpar security practices to the cloud.
Just like people are surprised that what they post on Facebook somehow ends up on the internet, so are many companies expecting that their stuff will stay hidden because no one will come looking for it.
According to Will Vandevanter, of Rapid7, Amazon's Simple Storage Service (S3) can't add another 's' (for security) to its name, though that's not exactly Amazon's fault.
He, along with other security researchers, found that out of the 12,328 S3 "buckets" they probed, 1,951 of them were public. S3 buckets are the storage containers used by S3 customers.
What this means is that anyone who knows the URL for the bucket, which can be easily guessed since it follows a predictable pattern, can list and even extract all of the files hosted there.
From the 1,951 buckets, researchers were able to list 126 billion files publicly available. A sample of 40,000 files revealed that many of them contained sensitive data, data which definitely shouldn't be publicly available.
Private photos, credentials, source code for apps and games, unprotected databases, some containing encrypted passwords, were all available and many still are.
These companies relied on the relative obscurity of the URL, the S3 storage was supposed to be used only internally. But because the actual data is public, anyone can actually access it.
This is not a failing of Amazon, it must be noted, it is a failing of the companies that use S3 and don't properly protect themselves.