October 31, 2022

Security researcher Eilon Harel was able to uncover Amazon’s AWS S3 storage buckets using an open-source “Secrets Scanner.”

Amazon S3 (Simple Storage Service) is a cloud storage service used by organizations to store software, services and data in containers marked as buckets. Unable to properly back up their S3 buckets, organizations make stored data publicly available to the internet.

To exploit this loophole, Harel created a Python tool called “S3crets Scanner,” which performs specific actions, including using CSPM to get a list of public buckets, listing the bucket content via API queries, searching for exposed textual files, downloading the relevant textual files, downloading the relevant textual files, searching the contents for secrets, and forwarding the results to SIEM.

When scanning a bucket, the script examines the content of text files using the Trufflehog3 tool. The tool is an improved Go-based version of the secret scanner that can search GitHub, GitLab, file systems and S3 buckets for credentials and private keys.

Trafflehog3 scans the files downloaded by S3crets using a custom rule designed by Harel which target personally identifiable information (PII) exposure and internal access tokens.

However, the scanner only lists S3 buckets that have the following configurations set to ‘False.’

All buckets that are supposed to be public are filtered out of the list before the textual files are downloaded for the “secrets scanning” step.

The researcher explain that the scanner can be used to scan an organization’s assets, ultimately helping to minimize the likelihood of data leaks or network breaches resulting from the exposure of secrets.

The sources for this piece include an article in BleepingComputer.