CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Cloud Security

AWS S3 Buckets at Risk of “GhostWriter” MiTM Attack

GhostWriter: Writable AWS S3 Buckets Could Be Exploited to Overwrite Existing Data and Files, or Upload Malware

GhostWriter: Writable AWS S3 Buckets Could Be Exploited to Overwrite Existing Data and Files, or Upload Malware

The exposure of sensitive data via misconfigured AWS S3 buckets has been regular over the last few years. In two months this summer, researchers discovered thousands of potentially sensitive files belonging to the U.S. National Geospatial-Intelligence Agency (NGA); information on millions of Verizon customers; and a database containing details of 198 million American voters.

In each case a misconfiguration of the S3 buckets left the data freely accessible to anyone via the internet. Amazon’s ‘shared responsibility’ model clearly states that Amazon is responsible for security of the cloud (that is, the cloud infrastructure) while the customer is responsible for security in the cloud (that is, protecting data through AWS configuration and/or other means). In leaving the data open to public reads, S3 data exposure is clearly the fault of the customers and not Amazon.

Now, however, Skyhigh Networks research has discovered that some AWS customers are also leaving their data open to public writes. Skyhigh calls this vulnerability, ‘GhostWriter‘. In a blog post Friday, chief scientist & VP Eng., Sekhar Sarukkai, warned, “In such cases a 3rd party, unbeknownst to either the data owner or the data consumer, can launch a surreptitious man-in-the-middle (MITM) attack.”

Vulnerable buckets found by Skyhigh — which has reported its findings to AWS — are owned by leading national news/media sites, large retail stores, popular cloud services, and leading advertisement networks. An adversary merely has to locate writable buckets to be able to overwrite existing data and files, or upload malware into the bucket.

“Bucket owners who store JavaScript or other code should pay particular attention to this issue,” warns Sarukkai, “to ensure that 3rd parties don’t silently overwrite their code for drive-by attacks, bitcoin mining or other exploits. Even benign image or document content left open for overwriting can be exploited for steganography attacks or malware distribution.”

Ironically, this vulnerability could affect researchers who find a readable bucket and download the data for analysis, not knowing that a third-party has already altered the data. However, the biggest danger will be to the data owners and authorized users who access the stored data. They could download and use incorrect data, or even download malware from their own or a partner’s data.

It is not known whether this vulnerability has ever been exploited — but it certainly exists. “We’ve informed our customers about misconfigured S3 Buckets and the possible opportunity for GhostWriter attacks and there has been some alarm,” Skyhigh’s chief European spokesperson Nigel Hawthorn told SecurityWeek. “Some have been experiencing issues of differing severity recently which GhostWriter may have been the cause of. Considering how widely used S3 is, it’s hard to see how it hasn’t been exploited. We have worked with those customers and AWS to rectify configurations.” 

Advertisement. Scroll to continue reading.

Sarukkai believes that there are two aspects to staying safe from GhostWriter: ‘trust but verify’ (by ensuring that staff can only download from own or third-party buckets that are not susceptible to GhostWriter); and ‘trust but audit’ (by making sure that an organization’s own S3 buckets are not publicly writable).

Skyhigh Networks has the facility to audit S3 buckets used by its own CASB customers, while “AWS provides many native best-practices and tools to manage and validate policies for configuring S3,” notes Sarukkai. In August, Amazon announced a new service called Macie. Macie uses machine learning to help its customers discover, classify and protect sensitive data. 

Related: Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report 

Related: Accenture Exposed Data via Unprotected Cloud Storage Bucket 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.