GoDaddy internal systems data exposed in AWS security error

AWS blamed for exposing GoDaddy's internal documents

Domain registrar and web-hosting company GoDaddy has seen details leaked of its cloud infrastructure in an unsecured Amazon Web Services (AWS) S3 bucket - with AWS accused of a configuration error exposing the data.

The completely unsecured bucket was uncovered by the UpGuard Cyber Risk Team in June.

It described the trove as "documents appearing to describe GoDaddy infrastructure running in the Amazon AWS cloud".

It added: "The exposed documents include high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios...

"Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields."

Intriguingly, perhaps, the data reveals discounts that GoDaddy appears to have negotiated with AWS.

GoDaddy was given a chance to plug the leaks, but after five weeks, UpGuard decided to go public as they still hadn't been locked down.

However, the security failing has been attributed to AWS. In a statement to Engadget, the company admitted its culpability: "The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer.

"No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket."

The documents are said to be "speculative" rather than definitive, showing possible rather than live data. Nevertheless, Upguard warned that, in the wrong hands, it could be used as the starting point for a compromise of GoDaddy's systems.

"There are two main vectors by which this data could have been exploited: using the configuration data of the GoDaddy servers as a 'map' which would allow malicious actors to select targets based on their role, probable data, size, and region, and using the business data as a competitive advantage for cloud hosting strategy and pricing.

"The system configuration data offers a potential attacker information about GoDaddy operations. Similar 'casing' information is often sought through social engineering and internet-research to make other attacks as effective and efficient as possible - every data point helps to achieve that goal.

"The 'workload' column particularly would help point attackers in the right direction, highlighting which systems serve more important functions and likely house important data.

"While not directly providing credentials or exposing sensitive information stored on these servers, exposures of configuration details for digital infrastructure can provide a stepping stone to attacks that do access such information."

GoDaddy is the world's biggest domain name registrar employing around 6,000 staff and claiming more than 18 million customers.