Misconfigured Amazon S3 Buckets allowing man-in-the-middle attacks
Misconfigured Amazon Web Service (AWS) S3 buckets that allow public writes are enabling man-in-the-middle (MITM) attacks on servers containing data from leading news media, retail and well-known cloud services.
Skyhigh Networks Chief Scientists Sekhar Sarukkai, who dubbed the problem GhostWriter, said this type of S3 misconfiguration differs from others that have recently been disclosed that allowed illegal access to the servers. Instead, by allowing public writes a third party can launch a MITM attack. He noted that in a sample of 1,600 S3 Buckets about 4 percent are exposed to GhostWriter due to configuration errors made by the Bucket owners and not the storage provider.
“These exposed 3rd party Buckets are wide ranging and have a long tail distribution that includes Buckets owned by leading national news/media sites, large retail stores, popular cloud services, and leading advertisement networks. The breadth of this exposure necessitates both enterprises accessing this content from their networks and owners of this data resident in S3 to take actions to protect themselves from malicious actors,” Sarukkai said.
Sarukkai’s primary takeaway is S3 Bucket security requires both the customer and storage provider to take proper precautions during the configuration process.
“We have noticed that Bucket owners have either carelessly allowed public writes or have not fully understood the ramifications of read and write ACL controls, or the semantics of AWS “Authenticated Users” – all of which contribute towards a wide open environment for 3rd parties to exploit the trusted interactions,” he said.
Another point that has to be understood is that any S3 Bucket that will allow a public write, even if it just stores something as innocuous images or documents are vulnerable and endanger not only the enterprise operating the Bucket, but anyone else who interacts with that organization through a MITM attack.
Sarukkai recommends that those operating S3 Buckets audit their content to ensure an unauthorized party is not overwriting their code or using the server for cryptocurrency mining.