Contractors, governments, and telecom giants have all previously left data on exposed Amazon Web Services (AWS) servers, meaning anyone can access them without a username or password. Now, a search engine makes combing through leaky AWS datasets that much easier. Think of it as a barebones Google, but for info that the owners may have mistakenly published to the world.
“The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years,” one of the anonymous developers of the service, called BuckHacker, told Motherboard in an email.
The search engine is specifically focused on Amazon’s Simple Storage Service (S3), and S3 servers known as buckets. Users can search either by bucket name—which may typically include the name of the company or organization using the server—or by filename. The service is basic, but largely functional: the developer explained it collects bucket names, grabs the bucket’s index page, parses the results and stores it in a database for others to search.
“The project is still in a really super alpha stage (there are several bugs at the moment that we try to fix),” the BuckHacker developer added. “I was sharing the project privately with some friends but unfortunately then we go public before the time. Actually we are even thinking to shutdown it because is quite unstable.”
Shortly before publication, the BuckHacker Twitter account announced that the service was going "offline for maintenance."
Motherboard confirmed the search engine works, in at least some cases, by successfully looking up a server Motherboard knew to be exposed at the time of writing.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, jabber on email@example.com, or email firstname.lastname@example.org.
Digging through S3 buckets certainly isn’t new. Chris Vickery, director of cyber risk research at security firm UpGuard, has cornered something of a niche for himself by regularly finding noteworthy datasets in exposed buckets. According to research published in September 2017, some 7 percent of S3 servers may be exposed.
And tools already exist for quickly grinding through leaky Amazon servers: ‘AWSBucketDump’ “is a tool to quickly enumerate AWS S3 buckets to look for loot,” the project’s Github page reads. As the BuckHacker administrator pointed out, you can also find some exposed buckets with a specific Google search.
But BuckHacker is the most accessible way to search buckets yet, with no command line or really any other tech experience required.
BuckHacker doesn’t only return results for exposed servers. It also includes entries labelled as “Access Denied”, and “The specified bucket does not exist,” meaning, obviously, you can’t simply go access whatever data they contain. But it may still be useful for scoping out whether a target is using S3 at all.
Amazon did not respond to a request for comment.