AWS S3 Bucket exposes 31,000 GoDaddy Servers

AWS S3 Bucket exposes 31,000 GoDaddy Servers

AWS S3 Bucket exposes 31,000 GoDaddy Servers

This week configuration Information For the World’s Largest Domain Name Registrar GoDaddy Was Exposed Online. According to Upgard, Their Cyber Risk Team:

Discovered and secured a data exposure of documents appearing to describe GoDaddy infrastructure running in the Amazon AWS cloud, preventing any future exploitation of this information.

The documents were left exposed in a publicly accessible Amazon S3 bucket which, according to a statement from Amazon:

“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer. No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”

GoDaddy becomes to be the latest organisation that has suffered the disrepute from having sensitive information exposed via and wrongly configured Amazon Web Services (AWS) S3 cloud storage bucket.

This despite the fact that  Amazon took some steps to prevent similar leaks. The steps at the time included Adding default encryption, permission checks, cross-region replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Reports.

According to Upgard:

 The exposed configuration information included fields for hostname, operating system, “workload” (what the system was used for), AWS region, memory and CPU specs, and more. Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields. Also included were what appear to be GoDaddy’s discounts from Amazon AWS, usually restricted information for both parties, who must negotiate for rates– as do GoDaddy’s competitors.

The impact of this data leak could have huge financial implications on Godaddy here’s why:

  • The Godaddy team was informed about the leak but didn’t act on the information for over five weeks
  • This raises the question: Is this the typical time it takes companies of this size and scale to respond to security exposures of this nature?
  • No one knows how much of the information ( which apparently include the GoDaddy -AWS deal structure was exposed to other parties.
  • Malicious attackers seeking to disrupt the internet could make use of this information.

Roughly 20% of the internet is hosted by GoDaddy so the impact of such an attack of it did occur would be significant.

In recent years quite a few organisations have suffered from the effect of poorly configured S3 buckets allows similar exposures and breaches as we saw in the Pentagon.

In the beginning, one could point the finger at AWS, but following recent steps from AWS to provide more implicit security in the S3 buckets, on cannot help but ask where the line of joint responsibility between the service provider and user of the service lie.

The use of cloud services in any form brings with it a different risk profile which needs to be at the forefront of all organisations in the current age. The culture of plug and play with minimal responsibility lead to events like this becoming more common.

Hopefully, this will be a wake-up call to the reality that while in the past all information was safely tucked away in a data centre behind a firewall a new security mindset and responsibility is now needed. Finally, faster response times when exposures are identified go a long way to engender consumer confidence –  five weeks is way too long to respond.

Images courtesy the register