ABC leaks thousands of user passwords in AWS S3 error

  • Liam Tung (CSO Online)
  • 20 November, 2017 07:22

The Australian Broadcasting Corporation is the latest organization to have been caught exposing user data on the internet through a misconfigured S3 bucket hosted on Amazon Web Services. 

ABC’s leaky S3 bucket was discovered by security firm Kromtech, which found the Australian broadcaster’s IT admins had made the classic AWS error of setting an S3 bucket containing sensitive information to ‘public’. AWS generally recommends against making S3 buckets publicly available on the internet.

According to Kromtech, the exposed data was being managed by ABC Commercial and included “several thousand” users’ email addresses, logins, and hashed passwords that were used by members of the local media industry to access ABC’s paid-for content. The S3 bucket also contained 1,800 daily MySQL database backups from 2015 to today, and login details to access "advance video content".

The leaky S3 bucket was configured with a more secure access policy “within minutes” of ABC’s IT security team being informed of the issue, according to Kromtech.      

The discovery of ABC’s security blunder came on the heels of the finding that an enterprise IT contractor had mistakenly created a public policy for an S3 bucket containing sensitive information on 50,000 Australian government and private sector staff. 

Consulting firm Accenture and telecoms giant Verizon have also made the same error, which is so common that AWS recently updated the S3 console to flag to admins any S3 bucket are publicly accessible. Kromtech discovered the ABC's misconfigured S3 bucket a week after AWS introduced the new security alerts.   

AWS makes it simple to check and control whether a bucket of files in S3 is public or private, but it appears there is a lack of awareness that public S3 buckets have a predictable and not random URL. If the URL to a public bucket is known, its filenames and directories can be viewed by anyone on the internet. 

Search engines can also reveal publicly accessible S3 buckets. Kromtech says ABC’s S3 buckets were indexed by the search engine Censys, which is used by security researchers -- and probably hackers -- to make queries about hosts and networks on the internet. 

AWS offers “access control lists” to restrict access to files and directories within a bucket and the bucket itself to authorized users. While the contents of files in public buckets aren’t exposed if access controls have been applied to files, even filenames can pose a risk when they indicate the content stored in them.       

The updated AWS S3 Console now displays a yellow “Public” label next to each S3 bucket name if it is publicly accessible. A summary at the top of the page displays how many of the total number of buckets are “public”, which should make it more difficult for admins to accidentally leave a bucket exposed.