Bug Bounty Hunting Tips #3 — Kicking S3 Buckets

There has been a lot of press recently about misconfigured Amazon S3 buckets leaking confidential information. The root cause of this is that in the past S3 buckets have been incredibly easy to misconfigure. Sometimes buckets are made web accessible by anyone. Other times buckets are web restricted but can be accessed through Amazon S3 API by any authorised user.

Due to the nature and number of these breaches, Amazon have recently released their Trusted Advisor service for S3 for free to everyone to try to crack down on the problem. The challenge now is getting people to look at the new output and make changes based on the feedback. In the meantime, let’s have some fun kicking over S3 buckets to see what bounties fall out.

Finding S3 Buckets

S3 buckets are all reachable via a web interface, whether access is permitted or not. The URL format is:

http://<bucketname>.s3.amazonaws.com
- or -
http://s3.amazonaws.com/<bucketname>

The naming convention for S3 buckets can be summarised as follows:

• Bucket names must be at least 3 and no more than 63 characters long.
• Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period (.). Bucket names can contain lowercase letters, numbers, and hyphens. Each label must start and end with a lowercase letter or a number.
• Bucket names must not be formatted as an IP…