Google Cloud Buckets Exposed in Rampant Misconfiguration

Google Cloud Buckets Exposed in Rampant Misconfiguration

Sharing is caring!

An industry analysis has revealed that a significant percentage of cloud databases containing highly-sensitive information is publicly available.

In a survey of 2,064 Google Cloud buckets by Comparitech, it was revealed that six percent of all Google Cloud buckets are misconfigured and exposed to hackers. The survey further disclosed that 131 of them were found to be vulnerable to unauthorized access and users can download, list, or upload files. It was further revealed that as much as 6,000 scanned documents including personal profiles, passports, and birth certificates from children in India are at the risk of hacking.

“Those buckets can contain confidential files, databases, source code and credentials, among other things,” wrote researcher Paul Bischoff at the firm, in a posting. It was also added by Bischoff that uncovering exposed cloud databases is nothing less than a trivial matter. In the case of Google, the naming guidelines make things exposed to malicious attacks by hackers and others. For instance, the database names of Google Cloud must be between three and 63 characters, and include only lowercase letters, underscores, numbers, dashes, with no spaces, and all names must start and end with a letter or number.

“Our researchers were able to scan the web using a special tool available to both administrators and malicious hackers. They searched for domain names from Alexa’s top 100 websites in combination with common words used when naming buckets like ‘bak,’ ‘db,’ ‘database’ and ‘users,’” Bischoff explained. “Filtering based on the search input and the naming guidelines, they were able to find more than 2,000 buckets in about 2.5 hours. Our researchers noted they could likely improve their analysis to cover even more domains.”

The researchers evaluated certain lists to find out if each one was misconfigured or vulnerable. 

“This is where our researchers’ analysis stopped, but of course, an attacker could go much further. For example, an attacker could download all files in the bucket using the ‘gsutils’ command-line tool, an official tool from Google for managing buckets,” Bischoff warned.

The problem is that it is not Google Cloud buckets that are vulnerable to hacking attempts, Amazon’s S3 buckets are not safe either.

“Given increased reliance on cloud hosted systems and decentralized systems, it is incredibly important that IT and security teams educate themselves on the various access control settings for the cloud services they use,” Joe Moles, vice president of customer security operations at Red Canary, said via email. “At the end of the day this is a symptom of immature IT hygiene. Most of this risk can be reduced through maturing processes to better track configuration, inventory, etc. Simply put: Better security through better IT.”

Ajay Dubedi, the CEO and Founder of Cloud Analogy, remarked internet security has always been a topic of debate and the aggravating instances of suspicious website logins, website hacks, and malicious cookies have put consumer privacy at great risk. Dubedi added that businesses today are literally forced to adopt certain tools that lack the security that they claim to offer and, therefore, users must evaluate their internet protection methodologies carefully and comprehensively.

Looking for guidance on how to secure your cloud databases? Reach out to experts at Cloud Analogy by giving us a call at +1 (415) 830-3899 or drop us an email at info@cloudanalogy.com

Close Menu
× How can I help you?