About six percent of all Google Cloud buckets are misconfigured and/or vulnerable to attack, according to an analysis of 2,064 buckets. 131 of the buckets were vulnerable to unauthorized access by users who could list, download, and/or upload files. Those buckets can contain confidential files, databases, source code, and credentials, among other things.

Attackers could exploit these vulnerabilities to steal data, compromise websites, and launch further attacks. These vulnerabilities are easy to exploit, our researchers say.

Among the exposed data we uncovered 6,000 scanned documents containing passports, birth certificates, and personal profiles from children in India.

Another database belonging to a Russian web developer included email server credentials and the developer’s chat logs.

Google declined Comparitech’s request for comment, but it did respond with some links to guidance on how to secure Google Cloud buckets, which you can find at the bottom of this article.

Finding exposed Google buckets

Google buckets adhere to a few naming guidelines that make them easy to find. Among them:

  • Bucket names must contain only lowercase letters, numbers, dashes (-), underscores (_), and dots (.). Spaces are not allowed.
  • Bucket names must start and end with a number or letter.
  • Bucket names (or dot-separated components of names) must contain 3–63 characters.

Our researchers were able to scan the web using a special tool available to both administrators and malicious hackers. They searched for domain names from Alexa’s top 100 websites in combination with common words used when naming buckets like “bak”, “db”, “database”, and “users”.

Filtering based on the search input and the naming guidelines, they were able to find more than 2,000 buckets in about 2.5 hours. Our researchers noted they could likely improve their analysis to cover even more domains. Note that just because a bucket name contains a particular company name, such as Facebook, it does not mean that the bucket belongs to that company.

With the list of buckets in hand, the researchers then went about checking if each one was vulnerable or misconfigured. About six percent of the buckets could be accessed without authentication.

This is where our researchers’ analysis stopped, but of course, an attacker could go much further. For example, an attacker could download all files in the bucket using the gsutils command line tool, an official tool from Google for managing buckets.

How to prevent unauthorized access to Google buckets

Google’s guidance on securing Google Cloud buckets is as follows:

  • Turn on uniform bucket-level access and its org policy

  • Enable domain-restricted sharing

  • Encrypt your Cloud Storage data with Cloud KMS

  • Audit your Cloud Storage data with Cloud Audit Logging

  • Secure your data with VPC Service Controls

  • VPC Service Controls

  • Cloud Identity and Access Management

  • ACLs

  • Cloud DLP

  • Cloud Security Command Center