English

Stratosphere: Finding Vulnerable Cloud Storage Buckets

Cryptography and Security 2023-09-26 v1 Networking and Internet Architecture

Abstract

Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations, which, together, allow attackers to easily guess and access sensitive data. In this work, we investigate the security of buckets, finding that prior studies have largely underestimated cloud insecurity by focusing on simple, easy-to-guess names. By leveraging prior work in the password analysis space, we introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets. Using Stratosphere, we find wide-spread exploitation of buckets and vulnerable configurations continuing to increase over the years. We conclude with recommendations for operators, researchers, and cloud providers.

Keywords

Cite

@article{arxiv.2309.13496,
  title  = {Stratosphere: Finding Vulnerable Cloud Storage Buckets},
  author = {Jack Cable and Drew Gregory and Liz Izhikevich and Zakir Durumeric},
  journal= {arXiv preprint arXiv:2309.13496},
  year   = {2023}
}

Comments

Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses. 2021

R2 v1 2026-06-28T12:30:36.106Z