'BuckHacker' search tool lets users trawl through unsecure AWS buckets

A new service designed by white hat hackers has been launched and allows anyone to search for unsecured data stored on Amazon Web Services (AWS) servers.

The Buckhacker plugin creates a Google-like search engine that's able to trawl through AWS servers, known as buckets, in order to find those that are misconfigured and potentially host sensitive data that's left exposed to the internet.

It follows a spate of data leaks over the past year involving high profile companies storing customer and client data on AWS servers without password protection, the contents of which could be accessed by anyone with the bucket address.

Accenture, WWE, AA, Dow Jones, and even the US' National Security Agency have been caught out by misconfigured servers, and have been criticised for failing to follow the most basic of security protocols.

Typically, these discoveries were made by research groups stumbling upon a publicly accessible server. However, Buckhacker claims to make the process far easier, allowing users to search AWS listings by using bucket name or filenames that could be associated with a company, although it maintains this is to raise awareness rather than aid would-be hackers.

While the tool is basic in its design, it's able to collect the results and store them in a database for other users to view, the tool's developer explained to Motherboard.

"The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years," explained the BuckHacker developer. "The project is still in a really super alpha stage (there are several bugs at the moment that we try to fix)."

The Buckhacker plugin is certainly not the first of its kind, as tools such as AWSBucketDump already allows users to maliciously hunt for leaky AWS buckets, and some server addresses can be accessed through Google if a user knows what to search for. However, Buckerhacker is notable as it's by far the most user-friendly tool to emerge.

"Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered essential for enterprise IT," said Mike Schuricht, VP of product management at security firm Bitglass.

News of the tool coincided with the leak of 119,000 files belonging to customers of courier firm FedEx, which included home and email addresses, as well as drivers licence and passport details.

"FedEx is just the latest in a laundry list of organisations with deep pockets and deep security resources that have fallen victim to this very basic, yet critical error," added Schuricht.

Amazon revealed in November that it was introducing default encryption for all new AWS servers, which would theoretically prevent leaks of this kind happening in the future. But the encryption feature needs to be manually applied to any existing bucket, meaning that data stored on servers that a company is unaware of will still be vulnerable.

IT Pro has contacted Amazon to see whether it's aware of the new tool.

Image: Shutterstock

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.