Fashion App’s Faux Pas: Open Buckets of (21) Buttons
TL; DR: Leaving their S3 buckets exposed, fashion-focused social app, 21 Buttons, is caught with their pants down.
Because it had nothing to do with FireEye or SolarWinds, many of us missed this breach announcement – buried beneath sexier headlines of nation-state espionage, we nearly lost an opportunity to reinforce how to address one of the most common public cloud security failures (while making bad puns). In short, a company left an S3 bucket wide open and shockingly (/sarcasm), some folks from vpnMentor found it. In the immortal words of David Byrne, “Same as it ever was.”
It was a meaty breach, exposing information about social media influencers from the site 21 Buttons. It seems people who want to be famous upload photos, addresses, bank accounts, paypal email addresses, and other juicy stuff to this website. Then they get paid if other people buy things because of their “influence.” Do I have that right? This social influencer business is Greek to me, but the issues following the casual upload of PII to the Internet is sadly, a recurring topic in my line of work.
Unfortunately in this case, the 21 Buttons folks dump all of that uploaded stuff – photos, videos, INVOICES – in one bucket in AWS and then don’t secure it. What could possibly go wrong?
Look, any organization can be the victim of a breach. Sometimes you do all the right things, and the bad guys still get in, but we should not make it easy for them. Don’t assume your cloud provider is secure by default. It’s January 2021, and we’re still talking about protecting cloud storage buckets. That’s a problem. I mean, it’s not like AWS makes it very clear when your S3 buckets provide public access. Oh, that’s right, they do.
The reality is you have to work hard to expose an S3 bucket in AWS, so I’m gobsmacked that it still happens. Then again, some people still use Windows XP, so we’ve got a long way to go when it comes to nailing the fundamentals.
Please, _please_, **please** don’t leave public buckets exposed to *gestures to everyone.* AWS GuardDuty will send you an alert, and (*cough* shameless plug *cough*), my favorite Cloud Detection & Response Platform will automatically lock the bucket down for you.
We made it out of 2020. Is it too much to ask everyone to commit to protecting the stuff they upload to the cloud? I’m asking either way.