How data is exposed on the internet
It's no secret that on the internet, many resources are unintentionally exposed and publicly accessible. While some of these resources are harmless, like temporary files of uncritical operations or backup copies of files that are public anyway, some are more concerning.
In recent years, online storage at popular web space providers has grown in demand, and services evolved around the users' needs, some examples being:
Each of these offer storing your data for an indefinite amount of time, charging you rather affordable rates. Putting all the data your web services need, or storing your personal or business backups on their web drives is tempting. No more failing hard drives in your local storage, at the cost of requiring an active internet connection - which you likely have available anyway.
These services can be challenging to configure though. Many users just want the web space, and they want it fast and easy. With fast and easy comes sloppy, and with sloppy, your online storage gets exposed to the public.
All of the above services offer key file or passphrase based access rules, and they can be locked down to Fort Knox level (i.e. no-one gets in). Some of the convenience defaults users get to choose from circumvent this level of security. This leads to hackers (or anyone, really) to be able to sift through the files contained within them.
A service that indexes public buckets
With everything that is potentially lucrative, someone will offer you a service (and charge you) for it. A prominent one for semi-automatically searching through publicly exposed buckets from all the above services is Gray Hat Warfare. Some details:
- URL: https://grayhatwarfare.com/
- Cost: Free (access to only a part of the buckets), 25€ / month for access to everything
- Supports: Amazon AWS, Microsoft Azure, DigitalOcean Spaces
You can give it a whirl for free right now and see for yourself. Just enter your search term, maybe add file extensions you're looking for, and hit "Search":
You are then presented with a (potentially long) list of results:
If you like any particular bucket, you can search through that bucket specifically to see what else it offers. If you see a filename you find interesting, you can just click its link and you'll be directed right to the public file.
Disclaimer - Do the right thing!
There are endless things to do with this, so please keep in mind:
Don't use this for any malicious or criminal purpose. This article (as well as Gray Hat Warfare, as stated on their site) are meant for educational purposes only to educate the broader public about the issues of publicly exposed web storage. Please use any information your find responsibly and inform the respective owner of any leaked sensitive information if possible.
I am in no way affiliated with Gray Hat Warfare.
