Six per cent of Google Cloud buckets are misconfigured and vulnerable to unauthorised access, research reveals

Finding exposed cloud databases on internet is not a difficult job, according to researchers

Nearly six per cent of all Google Cloud buckets are vulnerable to unauthorised access due to misconfiguration issues, according to the latest research by Comparitech's cyber security team.

Buckets, in cloud storage, are the basic containers that are used to hold the data. Everything that a user stores in cloud storage must be contained in a bucket. Admins can use these containers to organise their data and to control access to it. However, unlike folders and directories, they cannot nest one bucket into another bucket.

In a blog post published on Tuesday, Comparitech's Paul Bischoff revealed that their team recently attempted to search for open bucket on the web. They started by scanning the web using a tool which is easily available to admins but also to hackers.

In their web search, the researchers looked for Alexa's top 100 web domains, in combination with some common words, such as "db", "database", and "bak" used by admins when naming their buckets.

Through this web scan, the research team was able to discover 2,064 Google Cloud buckets in about 2.5 hours.

After analysing all 2,064 buckets, the researchers found that 131 of them (nearly 6 per cent) were misconfigured and vulnerable to unauthorised access.

According to Comparitech, the exposed data included nearly 6,000 scanned documents containing confidential information, such as passports details and birth certificates of children in India. A database belonging to a Russian web developer was also found that leaked developer's chat logs and email server credentials.

Bischoff warns that uncovering exposed cloud databases on internet is not a difficult job. In case of Google cloud storage, there are naming guidelines that make open buckets easy to find. Such buckets can contain sensitive files, source code, credentials and databases, which can be illegally accessed by malicious actors.

According to Bischoff, admins can check if their bucket is exposed by using gsutil (Google's official command-line tool) or BucketMiner tool to scan the web. Scanning for company's name on Google and Amazon infrastructure will display some filenames, images, or other stats, suggesting if the bucket is open.

Bucket misconfiguration issues are found on all cloud storage platforms, including Amazon and Microsoft.

Earlier this year, security researchers at vpnMentor discovered an unsecured database stored in an Amazon Web Services (AWS) S3 bucket containing information belonging to HR departments of various British consultancy firms.

The researchers said they were able to see all files stored in the database, including thousands of passport scans, tax documents, background checks, job applications, expense forms, scanned contracts, emails and salary details.

Research carried out by Rapid7 in 2013 revealed that one in six buckets on Amazon's S3 were misconfigured, leading to the exposure of business data to the public.