Another day, another treasure trove left publicly available in the cloud by a hapless admin. This time, GoDaddy found the configuration details for its servers in full public view on an Amazon Simple Storage Services (S3) bucket.
Security firm UpGuard discovered the data languishing online in June stored on the Amazon service, which enables customers to store data in the cloud. Someone left configuration details for over 24,000 server host names stored in unencrypted form and misconfigured it so that anyone on the web could gain access.
The files, located in an S3 bucket called abbotgodaddy, contained a 17Mb spreadsheet with tens of thousands of rows. They included information on each server’s host name, the operating system that it ran and what workload it was running. They also included the AWS region in which it was running, the amount of memory it contained and the CPU it was using. In all, 41 data points were listed for each server.
“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment,” said UpGuard in a statement.
The security firm’s team argued that this is a potentially significant event because of GoDaddy’s sheer size. It is the largest web host in the world by market share. The data left online wouldn’t provide enough information to hack into GoDaddy’s servers directly, but would help hackers to find likely targets based on the workload that they were running, UpGuard said.
The security firm also argues that understanding the inner workings of a piece of cloud infrastructure this large could enable attackers to mount a denial of service attack on the broader Internet. It pointed to prior DDoS attacks on companies responsible for processing large amounts of online traffic, singling out the 2016 Mirai malware attack on DNS provider Dyn.
“If the DYN DNS attack was any indication, large scale Internet attacks are not only possible, but extremely effective, as certain organizations have essentially become critical points of failure for the system as a whole,” said the company.
GoDaddy took around five weeks to respond. The security researchers notified it on June 20th, and it mailed back on July 26th, taking down the files on the same day.
It isn’t the first time someone has slipped up by misconfiguring an S3 bucket. Analytics firm Alteryx left the personal financial data of 123m US households on the Amazon service last year, and Accenture left passwords and decryption keys on an unprotected S3 instance. This year, Parisian marketing firm Octoly left the contact information and personal details of 12,000 social media influencers on an S3 repository, along with information about blue chip clients. Verizon also exposed 14m customer records that way.
In these cases, AWS customers were the root of the problem, but the GoDaddy leak came from an S3 bucket created by an AWS salesperson who used it to store information about pricing strategies. The information consequently contained information about discounts given to GoDaddy which could have also been competitively sensitive for the company, UpGuard concluded.
There are two takeaways here. The first, as UpGuard notes, is that as some companies become large enough to account for significant swathes of Internet traffic, they create significant points of failure that pose a potential risk to broad Internet services.
The second is that the cloud’s ease of use continues to pose a security threat. Convenient cloud services lower the barrier to entry, making it possible for people to put lots of sensitive information online very quickly without understanding how to protect it. This is something that SecTor speaker Sean Cassidy discussed at the 2017 conference.
Last year, Amazon put a visible warning on the AWS dashboard to warn admins if a bucket has been left publicly accessible. The cloud giant also added features including the ability to mandate encryption for S3 buckets, and a detailed inventory report telling customers the encryption status of all its stored data. Now, all customers (and apparently its own salespeople) have to do is use them.