More information about The BuckHacker Project

Few days ago we went online with www.buckhacker.com portal, and after less than 8h we decided to go offline for maintenance because the infrastructure was not ready for the amount of traffic that we started to receive. We had the bad decision to go online with an alpha release (important lesson: never do that again).

Here below the answers to some questions that we have received in these days.

What is the scope of this website ?

The main scope of the website is to improve the awareness of buckets’ security. Every month you can read news about some white/black hat hackers that are discovering buckets created with wrong permissions. As in the past, websites like shodan.io or censys.io allowed people to have a better understanding of the risk of exposing services on Internet, we think this project could do the same for exposed buckets.

Can you explain how all this works ?

Basically we do the following:

1. We collect bucket names in several ways, we don’t bruteforce for bucket names but we have more elegant ideas. At the moment we have more than 100.000 buckets names.

2. We literally wget the website and save the result (data via http/https is truncated to 1000 results, we can do better via API access but for the moment we decided to limit to this for our collection phase )

3. We run a simple script that parses the fetched index files and save in a database

4. A simple (and buggy) web interface allows you to perform queries for bucket names (useful for bug bounties) and for files names

We don’t use any kind of credentials to fetch the data (remember evil people could do also that) and we don’t perform any kind of write access.

Additionally we don’t fetch/mirror the files in the bucket, we take just the bucket index page.

We think this is nothing new, you can find similar results with google (by using the “site:” operator), of course with our portal is simpler.

Do you think this website could be used by bad people ?

Could be, as in the same way, in my opinion, bad people could use the data collected by shodan, censys or even google (read something about google dorking).

Buckhacker is an amateur project. It took us around 100 working hours to develop this project from scratch, from the design concept (?) to the portal.

All the people involved in the project were coming from reverse engineering backgrounds and we are not experts in web application development so this was quite an uncommon task for us. We think bad guys with their resources could do far and far better than us.

We have also setup some sort of “buckets honeypots” and we are seeings a lot of people probing for buckets. We think bad actors could develop even more powerful tools in no time. I’m saying more powerful because they can collect data with credentials, and test for write access, something that we are not doing and we don’t want to to.

Do you think to bring the portal online again?

We think we are not yet ready for a search engine for open buckets. We kept the portal online for around 8h and people start to find scaring results. We went online with a test database, with the data of one single cloud provider, in our development system we have 2 or 3 times more data. For the moment we decided to keep the server offline. This for sure will not increase the security. Sincerely we hope to collaborate with vendors to improve buckets’ security.