Update, 8/11/18, 7:10am PT:
Amazon issued a clarification to Tom's Hardware, stating that no GoDaddy customer information was stored in the exposed S3 bucket:
"The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer. No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”
Original, 8/9/18, 9:40am PT:
GoDaddy appears to be the latest company to have its sensitive information exposed via a public Amazon Web Services (AWS) S3 cloud storage bucket, even after Amazon took some steps to prevent similar leaks.
GoDaddy Configuration Data Leaked
UpGuard discovered that sensitive documents about GoDaddy’s AWS cloud infrastructure were being exposed to the public via GoDaddy’s AWS S3 storage buckets, which seem to have been made public by mistake. UpGuard is the the same security company that discovered the Pentagon’s social media surveillance operations via public AWS S3 buckets that the Pentagon forgot to secure.
GoDaddy's exposed documents contain high-level configuration information for tens of thousands of systems and pricing options for running those systems in AWS. The configuration information included fields for host names, operating systems, server workloads, AWS region, memory and CPU specs and more.
The discounts GoDaddy was getting for using AWS infrastructure were also leaked. If competitors saw this information, they could have tried to use them to negotiate more effectively with Amazon by requesting similar prices.
Data Leak Could Prove Costly to GoDaddy (and the Internet)
UpGuard's Cyber Risk Team notified GoDaddy about this data exposure, and the company closed it. However, there’s no telling if other parties have already seen that information and whether or not it may already be up for sale on black markets.
It’s not just competitors that can make use of this information, but also malicious attackers that want to disrupt the internet. As the largest web hosting provider, GoDaddy hosts about 20% of the internet. If attackers gain deep knowledge about how GoDaddy’s servers are configured, they could take advantage of it to facilitate a planned attack on GoDaddy’s infrastructure, similar to the attack we saw against DYN.
Over the past few years we’ve seen that too many companies aren’t properly configuring their S3 storage buckets, leading to many similar data exposures. Amazon has been largely to blame for this because it’s been too easy to make this kind of mistake on its service. However, at the end of the day, it’s ultimately the responsibility of the companies that put their data on a public cloud to ensure that data not meant to be public stays that way.
