File storage in the cloud now empowers most of the applications, websites and online services. There are multiple providers of such cloud storage services, including Amazon Web Services as well as Google Cloud buckets. A new report now indicates that they might not be as safe as they seem.?
A recent research by Comparitech¡¯s cybersecurity research team states that both these cloud services are subject to data breaches and exposures. Based on the analysis of 2,064 buckets, the research mentions that about six percent of all Google Cloud buckets are ¡°misconfigured and/or vulnerable to attack.¡±
Out of the 2,064 buckets, the report highlights that 131 of the buckets were vulnerable to unauthorized access by users. This access would allow a visitor to possibly ¡°list, download, and/or upload files.¡±
The report mentions that such buckets can provide access to confidential files, databases, source code as well as credentials to notorious entities, among other data. A targeted attack could thus take advantage of these vulnerabilities to ¡°steal data, compromise websites, and launch further attacks.¡± The researchers point out that these vulnerabilities are easy to exploit.
In the research, Comparitech found that the exposed data included 6,000 scanned documents ¡°containing passports, birth certificates, and personal profiles from children in India.¡±
Another targeted database belonging to a Russian web developer, included email server login credentials and the developer¡¯s chat logs. The researchers were able to find these vulnerable buckets using domain names from Alexa¡¯s top 100 websites along with common terms used in bucket names, including ¡°bak¡±, ¡°db¡±, ¡°database¡±, and ¡°users¡±.
Using the strategy, the researchers found more than 2,000 buckets in about 2.5 hours. Once they had the list of buckets, they inspected them for vulnerabilities. Surprisingly enough, it was found that around six percent of these buckets could be accessed without authentication.
The report points out that while the researchers stopped at this stage, an attacker ¡°could go much further.¡± An attacker could possibly download all files in the bucket ¡°using the gsutils command line tool¡±, an official Google tool for managing buckets.
Google did not answer questions by Comparitech on the topic but instead, responded with some guidelines on how to secure Google Cloud buckets, which are as follows.
- Turn on uniform bucket-level access and its org policy
- Enable domain-restricted sharing
- Encrypt your Cloud Storage data with Cloud KMS
- Audit your Cloud Storage data with Cloud Audit Logging
- Secure your data with VPC Service Controls