.png){kind=small}
An Empirical Analysis for Secret Leaks in Cloud Buckets and Responsible Disclosure Outcomes
The vast majority of data leaks don’t occur because of criminals breaking and entering data silos. They occur because of human mistakes: misconfigurations, oversights, and a lack of system administration efforts. This is especially evident with the growing dependence on cloud environments for storing and hosting data.
The process of finding and disclosing cloud data leaks, sometimes felt like “mopping the floor with the faucet running”. This also happened with the case described in this post - the disclosure process was slower than the amount of new data leaks emerging.
This didn’t dishearten the team: any problem prevented means potential consequences have been avoided. Almost 100 organisations have acted on the research and prevented crises. Even more have received the information and are now aware. This in itself reassures the team that these efforts are worth it.
Background
The researchers, led by Soufian El Yadmani from Modat and Leiden University, together with TU Delft and in collaboration with CSIRT.global, have investigated the availability of environment secrets, such as API keys or credentials, at cloud storage services such as AWS S3, Google Cloud Storage, and Azure Blob Storage. What they found was disheartening: there is an incredible amount of misconfigured storage cloud instances, publicly accessible to anyone that contain hundreds of valid secrets. Some of them contain extremely sensitive data, like personal ID documents, healthcare records, credentials and contracts. Some of these cause third party risks and allow access to a wide range of data or sensitive services.
Ethical considerations were paramount for this research, and the University of Leiden’s ethics committee approved it. The University's focus was on identifying the API keys, while CSIRT.global and Modat added other leaked information, like passports, healthcare records, and many other types.
Automation
Due to the vast amount of data available, the process was automated with extensive scripting and filtering methods, and due to the academic approach of the research, an analysis of “false negatives” was performed to underpin the results.
Responsible Disclosures
Via the Non-Profit organisation CSIRT.global, the team has disclosed critical leaks to their owners. The outcome of this process was generally positive, with a remediation rate of over 59%. Some organisations were very supportive of the disclosures, some silently fixed the issues, and some didn’t respond at all to these critical security risks.
In order to find the “owners” of the secrets, the team used public (bucket) information, information found in leaked data, and OSINT. The process of reaching hundreds of organisations proved to be difficult to automate, and a lot of manual work was involved.
CSIRT.global received many responses while performing the disclosures. One organisation asked CSIRT.global if they could perform a proof of concept of misusing the secret information. None of the responses were negative in nature - which shows the process of responsibly disclosing security issues is a more widely accepted and mature process.
The Results of Responsible Disclosure
Hundreds of organisations received disclosures. The top countries receiving disclosed were, in order:
US (25%),
India (6%),
Australia (5%),
Great Britain,
Brasil,
South Korea.
The Netherlands occupy place #14, sharing this place with six other countries.
The organizations vary in size; they include banks in multiple countries, Police departments, government ministries, access management companies as well as security companies. The top industries are, in order:
Computer / IT,
Retail and E-tail,
Finance,
Education,
Media,
Health Care.
Conclusion
In conclusion, the research conducted by the Modat, University of Leiden, TU Delft, CSIRT.global has highlighted the potentially disastrous threat that is posed by misconfigured cloud storage. Regardless of the size and maturity of companies and their security teams, we encountered leaks across them all. The findings underscore the pressing need for better system administration and vigilant oversight to prevent data leaks. Despite the overwhelming challenge of identifying and reporting these leaks, the team has made significant strides, with many organizations taking steps to mitigate potential risks. The high number of positive responses to the disclosures illustrates a growing awareness and maturity in addressing cloud security issues.
This study not only emphasizes the importance of automated tools in managing vast amounts of data but also sheds light on the crucial role of ethical considerations in cybersecurity research. As more organizations become aware of these vulnerabilities, it is hoped that the collective effort will lead to a more secure digital environment, reducing the instances of sensitive data being exposed due to human error. The dedication of the research team and their collaborative efforts with various entities are commendable, paving the way for continuous improvements in cloud security practices.
To read the completed paper visit: