Amazon Web Services: Bitcoin wallets with private keys freely accessible on the net

Amazon Web Services: Bitcoin wallets with private keys freely accessible on the net


One researcher found thousand-fold openly accessible Elastic Block Store volumes

of confidential data on the web, where they could be searched arbitrarily.Tons of confidential source code, databases with personal data including admin password, VPN login data, AWS keys, Google OAuth tokens, SSH private keys, Bitcoin wallets including private keys: All this was a researcher freely accessible on the net. Because Amazon Web Services users intentionally set their virtual disks from “private” to “public.” The good news: The hacker Ben Morris, who came across ten or even hundreds of thousands of freely accessible Elastic Block Store (EBS) volumes, gives concerned users two weeks to spare. Only then will he publish on Github his dufflebag called software for searching the public EBS volumes.

Consequential shift to “public”

Virtual disks are created automatically when an Elastic Compute Cloud (EC2) instance requires storage. As Morris explained during his speech in the context of the DEF CON 27, Amazon sets the EBS memory by default to “private”, ie not freely accessible from the Internet. The volumes discovered by the hacker must therefore have been deliberately set to “public” by their users. The problem here is that public, unencrypted EBS memory can be searched arbitrarily. In contrast to Amazon S3 buckets, which can only be accessed if you know their exact name. Since, according to Ben Morris, virtually anyone can search for confidential data stored on EBS volumes, they must be considered compromised in the case of a “public” volume. The hacker advises to immediately remove EBS volumes that are stored with confidential data from the network and to immediately change login data that has been disclosed in this way.

Rich loot: Confidential data of all kinds

The list of confidential data discovered by Morris is long. He found among other things: Web applications including source code, API keys and database passwords; AWS keys used to navigate a bot programmed by a service provider that crawls the social media activities of the terrorist organization Islamic State on behalf of the US government; User credentials of a “root” account that would have taken over the associated AWS account completely; a Jenkins installation of a major software company that works as a supplier to Apple and Salesforce, including confidential source code and login information; Connection files of OpenVPN; WordPress installations including password hashes; Bitcoin wallets including private keys and SQL databases containing tens of thousands of personal data including email addresses and hashed passwords. Morris treated all discoveries according to the motto “just look, do not touch”. He did not use login credentials and deleted all collected data after evaluation.

Dufflebag tool soon publicly available

He discovered the volumes using Dufflebag, which simply uses the functions provided by the AWS EBS API to duplicate public volumes, copy the copy to the hacker’s EC2 instance, browse through white and blacklists, and then log off again. to produce no unnecessary costs. It took between two and five minutes per volume. Overall, the hacker claims to have paid well over $ 300 to Amazon to search about 20,000 EBS volumes. He has selected the volumes on the basis of filter criteria in order to keep the effort reasonably acceptable. He did not search volumes larger than 100 gigabytes and none that belonged to the top 5 volume creators. According to Morris, Amazon was among the Top 5 and Github. Their publicly available data has quickly made Ben Morris uninteresting.

Article Produced By

Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. holds several Cryptocurrencies, and this information does NOT constitute investment advice or an offer to invest. Everything on this website can be seen as Advertisment and most comes from Press Releases, is is not responsible for any of the content of or from external sites and feeds. Sponsored or guest posts, articles and PRs are NOT always flagged as this. Expert opinions and Price predictions are not supported by us and comes up from 3th part websites.

Related articles

Bitcoin Mining to Ramp Up Dramatically in Russia

Bitcoin Mining to Ramp Up Dramatically in Russia                                   Bitcoin mining is heating up as several groups are ramping up production, with one Russian company aiming for 20% of the world’s total. Bitcoin mining has definitely changed over time. Regular people used to be able to mine BTC with their desktop computers, but those […]

Learn More

Ripple Says Final Guidance’ From UK Regulator Hands XRP Long-Awaited Regulatory Clarity

Ripple Says ‘Final Guidance’ From UK Regulator Hands XRP Long-Awaited Regulatory Clarity                                  Ripple’s global head of government relations says a “final guidance” issued by the UK’s Financial Conduct Authority is offering long-awaited regulatory clarity for XRP in the country.On July 31st the FCA published its final guidance defining which crypto asset activities it regulates. […]

Learn More

Princeton Expertise-Backed Startup Raises 37 Mln to Develop Smart Contract Scalability

Princeton Expertise-Backed Startup Raises $3.7 Mln to Develop Smart Contract Scalability           Offchain Labs, a blockchain startup co-founded by a professor at Princeton University, has raised $3.7 million in a seed round led by crypto hedge fund Pantera Capital, TechCrunch reports on April 3. The new funding round was also supported by Compound VC, Raphael […]

Learn More

Leave a Reply

Your email address will not be published. Required fields are marked *