As you’ll know, AWS provides a service called S3 (Simple Storage Servers). Seems they are just as simple as they sound. Buckhanger, the name of the tool, let’s anyone crawl AWS buckets and search for data from private companies, governments, universities and more.
It’s basically Google, but for unsecured private data.
“The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years,” said one of the devs, who obviously wants to stay anonymous.
Where’s the bucket?
Buckhacker lets you search by bucket name, which could be a company name or something, or filename. It’s pretty barebones but wasn’t meant to go live just yet. The developer told Motherboard:
“I was sharing the project privately with some friends but unfortunately then we go public before the time. Actually we are even thinking to shutdown it because is quite unstable.”
Crawling through AWS holes isn’t new, there were geeky CLI tools around in the past. This is the easiest to use tool released to date though.
Oddly, Amazon didn’t respond to our request to comment.