Amazon’s Simple Storage Service (S3) is an object store, a foundational cloud service for many cloud native applications. While cloud services are intended to be accessible over HTTPS endpoints to facilitate rapid integrations with software components, this presents special risks because anyone on the Internet can attempt to access the endpoint and use the service—in the case of an object store, the service would store or retrieve objects (e.g. files) on behalf of the user. At first glance, this may not appear to be a huge concern, because cloud providers have strong authentication and authorization systems. However, the Simple Storage Service is a special case because it can be configured to not require any authentication before retrieving data on behalf of users. Some common applications, such as photo sharing services and public websites, may intend for their images to be accessible without any authentication. If used to host publicly accessible files, the lack of authentication is appropriate.
Unfortunately, misconfigurations by Amazon’s customers have resulted in data being exposed to any Internet user able to guess the URL that contains sensitive data. One recent example is the discovery of personal data on 198 million American voters. The data included birthdays, addresses, telephone numbers, and their likely political preferences on forty-eight categories. Of particular concern is information intended to private, such as unlisted addresses, telephone numbers, and birthdates. Unfortunately, these types of identifiers can be used to break into Internet accounts if the password reset functionality relies on the user’s birthdate, street name, spouse’s name, etc. as a “secret question.”
Another disturbing discovery would have enabled any Internet user to download sensitive data on Verizon Wireless customers through a third-party company that exposed records on fourteen million customers. Of course, addresses and phone numbers were part of the treasure trove, along with some unmasked PIN’s that would have enabled a malicious user to steal phone numbers. While this may seem to be a minor inconvenience that could be reversed by Verizon Wireless, it is worth considering the potential risk from hijacking a mobile phone number in the “connected world.” If a user is relying on two-factor authentication sends a SMS message to the user, associating the phone number with a new phone allows a malicious user to have this factor, potentially enabling the malicious user to reset passwords and hijack electronic accounts. Of course, any alerts from a bank that are “immediately sent by SMS” to advise the user that a bank account is being drained are going to go to the attacker’s phone.