Media reports detail an Amazon S3 bucket misconfiguration that has led to a serious data breach. According to ZDnet, a UK-based security researcher found two public S3 buckets belonging to TeenSafe, a mobile app for iOS and Android, that allows parents to monitor the texts, calls, locations and social media exchanges of their children. The buckets were reportedly left unsecured and accessible to anyone without a password. This breach exposed at least 10,200 records covering the preceding three months, including children’s Apple ID and plaintext passwords, device names and their device’s unique identifier.
This latest incident is another instance of an Amazon S3 Bucket being misconfigured, making it publicly accessible. This breach is particularly serious due to the potential for online predators to access the personal details of minors. It may also leave the affected children (and their parents) more vulnerable to identity theft in the future.
By default, all new Amazon S3 resources including buckets are private, and since November they have also been encrypted. For a bucket and its contents to be made public, it must be configured to be so. Permissions inheritance can be complicated, so AWS provides a free tool for their customers to identify any buckets that are publicly accessible.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.