'BuckHacker' search tool lets users trawl through unsecure AWS buckets

Developers claim the tool is designed to 'raise awareness' on server security

A new service designed by white hat hackers has been launched and allows anyone to search for unsecured data stored on Amazon Web Services (AWS) servers.

The Buckhacker plugin creates a Google-like search engine that's able to trawl through AWS servers, known as buckets, in order to find those that are misconfigured and potentially host sensitive data that's left exposed to the internet.

It follows a spate of data leaks over the past year involving high profile companies storing customer and client data on AWS servers without password protection, the contents of which could be accessed by anyone with the bucket address.

Accenture, WWE, AA, Dow Jones, and even the US' National Security Agency have been caught out by misconfigured servers, and have been criticised for failing to follow the most basic of security protocols.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Typically, these discoveries were made by research groups stumbling upon a publicly accessible server. However, Buckhacker claims to make the process far easier, allowing users to search AWS listings by using bucket name or filenames that could be associated with a company, although it maintains this is to raise awareness rather than aid would-be hackers. 

While the tool is basic in its design, it's able to collect the results and store them in a database for other users to view, the tool's developer explained to Motherboard.

"The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years," explained the BuckHacker developer. "The project is still in a really super alpha stage (there are several bugs at the moment that we try to fix)."

The Buckhacker plugin is certainly not the first of its kind, as tools such as AWSBucketDump already allows users to maliciously hunt for leaky AWS buckets, and some server addresses can be accessed through Google if a user knows what to search for. However, Buckerhacker is notable as it's by far the most user-friendly tool to emerge.

"Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered essential for enterprise IT," said Mike Schuricht, VP of product management at security firm Bitglass.

News of the tool coincided with the leak of 119,000 files belonging to customers of courier firm FedEx, which included home and email addresses, as well as drivers licence and passport details.

Advertisement - Article continues below

"FedEx is just the latest in a laundry list of organisations with deep pockets and deep security resources that have fallen victim to this very basic, yet critical error," added Schuricht.

Amazon revealed in November that it was introducing default encryption for all new AWS servers, which would theoretically prevent leaks of this kind happening in the future. But the encryption feature needs to be manually applied to any existing bucket, meaning that data stored on servers that a company is unaware of will still be vulnerable.

IT Pro has contacted Amazon to see whether it's aware of the new tool.

Image: Shutterstock

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019