'BuckHacker' search tool lets users trawl through unsecure AWS buckets

Developers claim the tool is designed to 'raise awareness' on server security

A new service designed by white hat hackers has been launched and allows anyone to search for unsecured data stored on Amazon Web Services (AWS) servers.

The Buckhacker plugin creates a Google-like search engine that's able to trawl through AWS servers, known as buckets, in order to find those that are misconfigured and potentially host sensitive data that's left exposed to the internet.

It follows a spate of data leaks over the past year involving high profile companies storing customer and client data on AWS servers without password protection, the contents of which could be accessed by anyone with the bucket address.

Accenture, WWE, AA, Dow Jones, and even the US' National Security Agency have been caught out by misconfigured servers, and have been criticised for failing to follow the most basic of security protocols.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Typically, these discoveries were made by research groups stumbling upon a publicly accessible server. However, Buckhacker claims to make the process far easier, allowing users to search AWS listings by using bucket name or filenames that could be associated with a company, although it maintains this is to raise awareness rather than aid would-be hackers. 

While the tool is basic in its design, it's able to collect the results and store them in a database for other users to view, the tool's developer explained to Motherboard.

"The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years," explained the BuckHacker developer. "The project is still in a really super alpha stage (there are several bugs at the moment that we try to fix)."

The Buckhacker plugin is certainly not the first of its kind, as tools such as AWSBucketDump already allows users to maliciously hunt for leaky AWS buckets, and some server addresses can be accessed through Google if a user knows what to search for. However, Buckerhacker is notable as it's by far the most user-friendly tool to emerge.

"Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered essential for enterprise IT," said Mike Schuricht, VP of product management at security firm Bitglass.

News of the tool coincided with the leak of 119,000 files belonging to customers of courier firm FedEx, which included home and email addresses, as well as drivers licence and passport details.

Advertisement - Article continues below

"FedEx is just the latest in a laundry list of organisations with deep pockets and deep security resources that have fallen victim to this very basic, yet critical error," added Schuricht.

Amazon revealed in November that it was introducing default encryption for all new AWS servers, which would theoretically prevent leaks of this kind happening in the future. But the encryption feature needs to be manually applied to any existing bucket, meaning that data stored on servers that a company is unaware of will still be vulnerable.

IT Pro has contacted Amazon to see whether it's aware of the new tool.

Image: Shutterstock

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020