Researchers at Mitiga discovered that hundreds of databases were being exposed and leaking personally identifiable information (PII) monthly through a publicly exposed Amazon cloud service that bad actors could then exploit.
Amazon Relational Database Service is a platform-as-a-service for optional engines like MySQL, and has an intuitive feature called “RDS snapshot” that allows a user to share public data or a template database to an application, Mitiga explained in a Nov. 16 post. The feature makes it easier to share a snapshot with colleagues while “not having to deal with roles and policies,” making a snapshot public for “just a few minutes.”
While it may be convenient to allow colleagues to view a snapshot of the database by making it public ever so briefly, it could become a huge problem if bad actors stumbled across the snapshot. And as the Mitiga team learned after some investigation, some of the snapshots weren’t public for just a few minutes — some were available for hours, days, weeks and, in one case, several years.
Digging deeper, the folks at Mitiga “developed an AWS-native technique, using AWS Lambda Step Function and boto3, to scan, clone, and extract potentially sensitive information from RDS snapshots in scale,” to extract PII over a one-month period. They found data such as names, phone numbers, email, mac address, client access tokens, and application ID of the apps of the user. One of the DBs they found was created in 2015 and was still public. In all, Mitiga found 2,783 snapshots in a month.
The researchers concluded: “We think it’s not an overstatement to assume the worst-case scenario — when you are making a snapshot public for a short time, someone might get that snapshot’s metadata and content. So, for your company and, more importantly, your customers' privacy — don’t do that if you are not 100% percent sure there is no sensitive data in the content or in the metadata of your snapshot.”
Check out Mitiga’s post for how to check if your snapshot is available publicly and prevention methods.