'BuckHacker' search tool lets users trawl through unsecure AWS buckets

Developers claim the tool is designed to 'raise awareness' on server security

A new service designed by white hat hackers has been launched and allows anyone to search for unsecured data stored on Amazon Web Services (AWS) servers.

The Buckhacker plugin creates a Google-like search engine that's able to trawl through AWS servers, known as buckets, in order to find those that are misconfigured and potentially host sensitive data that's left exposed to the internet.

It follows a spate of data leaks over the past year involving high profile companies storing customer and client data on AWS servers without password protection, the contents of which could be accessed by anyone with the bucket address.

Accenture, WWE, AA, Dow Jones, and even the US' National Security Agency have been caught out by misconfigured servers, and have been criticised for failing to follow the most basic of security protocols.

Typically, these discoveries were made by research groups stumbling upon a publicly accessible server. However, Buckhacker claims to make the process far easier, allowing users to search AWS listings by using bucket name or filenames that could be associated with a company, although it maintains this is to raise awareness rather than aid would-be hackers. 

While the tool is basic in its design, it's able to collect the results and store them in a database for other users to view, the tool's developer explained to Motherboard.

"The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years," explained the BuckHacker developer. "The project is still in a really super alpha stage (there are several bugs at the moment that we try to fix)."

The Buckhacker plugin is certainly not the first of its kind, as tools such as AWSBucketDump already allows users to maliciously hunt for leaky AWS buckets, and some server addresses can be accessed through Google if a user knows what to search for. However, Buckerhacker is notable as it's by far the most user-friendly tool to emerge.

"Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered essential for enterprise IT," said Mike Schuricht, VP of product management at security firm Bitglass.

News of the tool coincided with the leak of 119,000 files belonging to customers of courier firm FedEx, which included home and email addresses, as well as drivers licence and passport details.

"FedEx is just the latest in a laundry list of organisations with deep pockets and deep security resources that have fallen victim to this very basic, yet critical error," added Schuricht.

Amazon revealed in November that it was introducing default encryption for all new AWS servers, which would theoretically prevent leaks of this kind happening in the future. But the encryption feature needs to be manually applied to any existing bucket, meaning that data stored on servers that a company is unaware of will still be vulnerable.

IT Pro has contacted Amazon to see whether it's aware of the new tool.

Image: Shutterstock

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Jack Dorsey resigns as Twitter CEO
business management

Jack Dorsey resigns as Twitter CEO

29 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021