bucketchallenge

@bucketchallenge@infosec.exchange
714 Followers
114 Following
157 Posts
s3 Buckets are my hobby. Icecold nightmares about the insecurity of the cloud.
I will not link the bucket while still open here on Mastodon as the data in those would cause hurt to innocent people.

The #norwegian public transport organisation #vy closed a #s3 #bucket with more than 50k reports about how their bus drivers perform in therms of efficiency, comfort and so on. The system is called "Eco Safe".

A litte description of this system is here: https://ytf.no/nyheter/gronn-overvakning

Quotes: orig: "Vi tillitsvalgte har full kontroll på hvem som får tilgang til forskjellige opplysninger og hvordan de brukes." engl translation: "We union representatives have full control over who gets access to different information and how it is used." This was not accurate until a few hours ago.

Grønn overvåkning? | Yrkestrafikkforbundet

Flere busselskaper overvåker nesten alt sjåføren gjør i løpet av bussturen.

#SQL Dump in the #s3 #bucket of today with md5-hashed passwords AND the cleartext password next to it. 🤫

I do recommend:

* to change the permissions of the bucket
* change all passwords of the users on your platform
* don't store plaintext passwords of your users

I do research about open #s3 buckets in my free time and report them to who ever could be responsible.

Here is a little extract from my penpal relationship with #aws #security. One of those bucket is fixed, all others are open. We are still waiting for a Bingo or Amazon to fix a second bucket.

At least it is interesting to analyse the order-histroy. Pizza seems to be more interesting at the weekend - no surpirse.
Good news from #BucketB: it is offline / greets with a beautiful "access denied". I did not hear back from #AWS yet. The bucket was this one: https://leadsincloud.s3.amazonaws.com/