Stratosphere: Finding Vulnerable Cloud Storage Buckets
- 6 October 2021
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in 24th International Symposium on Research in Attacks, Intrusions and Defenses
Abstract
Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations, which, together, allow attackers to easily guess and access sensitive data. In this work, we investigate the security of buckets, finding that prior studies have largely underestimated cloud insecurity by focusing on simple, easy-to-guess names. By leveraging prior work in the password analysis space, we introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets. Using Stratosphere, we find wide-spread exploitation of buckets and vulnerable configurations continuing to increase over the years. We conclude with recommendations for operators, researchers, and cloud providers.Keywords
Funding Information
- NSF (DGE-1656518)
This publication has 11 references indexed in Scilit:
- Target generation for internet-wide IPv6 scanningPublished by Association for Computing Machinery (ACM) ,2017
- Weak Keys Remain Widespread in Network DevicesPublished by Association for Computing Machinery (ACM) ,2016
- Entropy/IPPublished by Association for Computing Machinery (ACM) ,2016
- FTP: The Forgotten CloudPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2016
- On Reconnaissance with IPv6: A Pattern-Based Scanning ApproachPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- OMEN: Faster Password Guessing Using an Ordered Markov EnumeratorPublished by Springer Science and Business Media LLC ,2015
- All your clouds are belong to usPublished by Association for Computing Machinery (ACM) ,2011
- Hey, you, get off of my cloudPublished by Association for Computing Machinery (ACM) ,2009
- Practical guide to controlled experiments on the webPublished by Association for Computing Machinery (ACM) ,2007
- Fast dictionary attacks on passwords using time-space tradeoffPublished by Association for Computing Machinery (ACM) ,2005