Skip to content ↓ | Skip to navigation ↓

With the cloud rapidly becoming the principal source of computing and data storage resources for organizations of all sizes, new types of exposures and attack paths have emerged. Earlier in the year, security researchers made a series of discoveries around organizations misconfiguring their AWS S3 buckets that allowed public access to the data stored in these buckets.

More recently, Skyhigh cloud security researchers revealed a new type of data exposure in S3 buckets called ‘GhostWriter.’ It’s where bucket owners misconfigure S3 buckets that allow public write access. This means that an unauthorized party could launch a stealthy man-in-the-middle (MITM) attack.

GhostWriter highlights the fact that cloud security is not the sole responsibility of the cloud service provider but is a shared responsibility. It is often a customer misconfiguration or misuse of a cloud service that exposes their data to unauthorized parties – so much so that according to Gartner, by 2020, 95 percent of security failures in the cloud will be the customer’s fault.

Skyhigh has identified that, on average, more than 1,600 S3 buckets (many referenced from web sites that leverage S3 for delivering content) are accessed from within enterprise networks, of which about four percent are exposed to ‘GhostWriter’ due to misconfiguration by bucket owners rather than due to any exposure in the storage service provider.

Skyhigh has identified thousands of such buckets being accessed from enterprise networks and has shared these affected buckets with AWS for remediation.

These exposed third party buckets are wide-ranging and include buckets owned by leading national news/media sites, large retail stores, popular cloud services, and advertisement networks.

What Can Bucket Owners Do About GhostWriter?

With the shared responsibility model for security associated with using AWS comes the serious need for customers to understand the myriad ways that AWS services can be misconfigured.

In the case of GhostWriter, what seems to be happening is that bucket owners have either carelessly allowed public writes or have not fully understood the ramifications of read and write ACL controls, as well as the semantics of AWS “Authenticated Users.” These factors contribute to a wide-open environment where third parties can exploit trusted interactions.

Bucket owners who store JavaScript or other code should pay particular attention to this issue to ensure that third parties don’t silently overwrite their code for drive-by attacks, Bitcoin mining, or other exploits. Even simple image or document content left open for overwriting can be exploited for steganography attacks or malware distribution.

Organizations leveraging S3 to store their own data (for internal or external consumption) own the responsibility to set and monitor ACLs and permissions and to validate that all use is compliant with the enterprise’s S3 access policies on a continuous basis.

What Can Enterprises Do About GhostWriter?

Whereas publicly readable buckets can only harm the bucket and data owner, publicly writable buckets can be used as vector for malware or other malicious data/code proliferation due to a potential MITM attack. In this way, GhostWriter poses serious ramifications on the security posture of the consumer of the data as well (website visitors, for example).

This issue needs to be addressed in a manner similar to how enterprises control web traffic – leverage knowledge of each S3 bucket’s security posture that could impact the enterprise and only allow access to S3 buckets that are not exposed to GhostWriter.

What Is Next?

There are two means by which you can protect your organization from GhostWriter for S3 buckets:

1. Trust but Verify: Ensure that data is only downloaded into an enterprise network from third-party buckets that are not susceptible to GhostWriter.

You can do this by:

  1. Identifying all 3rd party buckets accessed from an enterprise network
  2. Rating each 3rd party bucket based on its exposure to GhostWriter
  3. Taking policy-based action to block access to higher risk buckets in the enterprise perimeter

2. Trust but Audit: Ensure that your organization’s use of AWS S3 is not susceptible to GhostWriter. AWS provides many native best-practices and tools to manage and validate policies for configuring S3.

For a detailed guide on how to eliminate your AWS GhostWriter exposure, follow the technical instructions here.


Sekhar Sarukkai

About the Author: Sekhar Sarukkai is a Co-Founder and the Chief Scientist at Skyhigh Networks, driving future innovations and technologies in cloud security. He brings more than 20 years of experience in enterprise networking, security, and cloud service development.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.