Researchers found hundreds of exposed Amazon cloud backup snapshots leaking customer data
If you’re using Amazon’s Elastic Block Storage snapshots, you might want to evaluate data security. New research, just released at the Def Con security conference, reveals how companies, startups, and government agencies have inadvertently leaked their files from the cloud. Storage servers hosted on Amazon that contains important data but is often misconfigured and inadvertently set to “public” for anyone to access, this is not a new thing. However, you may not have heard of an exposed EBS snapshot, which poses additional risks.
Ben Morris, a senior security analyst at network security company Bishop Fox, said that EBS snapshots store all the data of the cloud application enough to access useful information.
“When you get rid of the hard disk for your computer, you know, you usually shredded or wipe it completely,” he said. “But these public EBS volumes are just left for anyone to take and start poking at.” “That means anyone on the internet can download your hard disk and boot it up, attach it to a machine they control, and then start rifling through the disk to look for any kind of secrets,” he said.
Morris used Amazon’s own internal search capabilities to build a tool for querying and crawling publicly exposed EBS snapshots, then loading it, making a copy and listing the contents of the volume on their system. This means that if the system administrator’s settings are not correct, just expose the disk for a few minutes, the researchers will be able to get a snapshot document, which restores the original data in the cloud storage.
Morris found dozens of public snapshots in a region, including application keys, key users or administrative credentials, source code, and more, involving several large companies, including healthcare providers and technology companies.
He also found a virtual private network configuration file in the snapshot, which allowed him to enter the corporate network. Of course, he did not use this data for access verification, because it is illegal.
The most damaging content was a snapshot of a government contractor who did not disclose the name of the institution, but they did provide data storage services for federal agencies, including data collected on external intelligence and data on border crossings. “Those are the kind of things I would definitely not want to be exposed to the public internet.”
Researchers estimate that there may be as many as 1,250 data exposure events in all Amazon cloud regions. Morris plans to release his proof of concept code in the coming weeks.