Contractors, governments, and telecom giants have all previously left data on exposed Amazon Web Services (AWS) servers, meaning anyone can access them without a username or password. Now, a search engine makes combing through leaky AWS datasets that much easier. Think of it as a barebones Google, but for info that the owners may have mistakenly published to the world.
“The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years,” one of the anonymous developers of the service, called BuckHacker, told Motherboard in an email.
Leaving private data on exposed AWS servers isn’t as rare as you might think. Security researchers and hackers can access such data with ease using appropriate tools. To make this process even easier, some developers have created a tool named BuckHacker, which lets one search for such exposed servers.
In the past, you must have read about Shodan–the hackers’ search engine. BuckHacker is another interesting tool that can be used to test the security measures employed by web servers without any prior expertise in the IT security field.
In an email to Motherboard, the anonymous devs underlined the inspiration behind this project. They aim to increase the security associated with the code repositories and projects. “Too many companies was [sic] hit for having wrong permissions on buckets in the last years,” they added.
This search engine lets one search for hackable servers using bucket name or by filename. Moreover, it also returns entries labeled as “Access Denied” and “The specified bucket does not exist.” This feature can confirm that the target is using Amazon’s services.
It collects bucket names and their index pages. The results are stored in a database, which can be searched later by other users. As per the devs, the project is currently in the early stages of development and it’s pretty unstable.
At the moment, there isn’t any information on BuckHacker’s launch or any other related details. In case we come across more relevant information, we’ll be updating this article. Stay tuned.
The search engine is specifically focused on Amazon’s Simple Storage Service (S3), and S3 servers known as buckets. Users can search either by bucket name—which may typically include the name of the company or organization using the server—or by filename. The service is basic, but largely functional: the developer explained it collects bucket names, grabs the bucket’s index page, parses the results and stores it in a database for others to search.
“The project is still in a really super alpha stage (there are several bugs at the moment that we try to fix),” the BuckHacker developer added. “I was sharing the project privately with some friends but unfortunately then we go public before the time. Actually we are even thinking to shutdown it because is quite unstable.”
Shortly before publication, the BuckHacker Twitter account announced that the service was going “offline for maintenance.”
Motherboard confirmed the search engine works, in at least some cases, by successfully looking up a server Motherboard knew to be exposed at the time of writing.