Hackers are targeting forgotten or misconfigured cloud storage buckets, seeking sensitive data or resources to serve malware to others. Google has shared its best practices to prevent dangling bucket takeovers and is urging developers to secure their cloud environments.
Google is warning of dangling bucket attacks, which happen when developers delete a storage bucket, but references to it still exist in the application code, mobile apps, public documentation, or elsewhere.
“An attacker can then simply claim the same bucket name in their own project, effectively hijacking your old address to potentially serve malware and steal data from users who unknowingly still rely on a bucket that is no longer officially in use,” the tech giant says.
Google recommends a careful decommissioning process for this type of cloud storage and shared a four-step advisory on securing the dangling buckets.
First, before deleting any bucket, cloud admins should “take the time to understand who and what are still accessing the bucket.”
Logs reveal recent traffic, and if new requests are coming from old versions of the app, third-party services, or users, they should be investigated. Traffic from bots, data crawlers, and scanners can be safely ignored.
“Pay extra attention to requests attempting to pull executable code, machine learning models, dynamic web content (such as JavaScript), and sensitive configuration files,” Google warns.
Second, Google advises waiting at least a week before deleting the bucket. Observing the full cycle of activity, such as weekly reports, batch jobs, and infrequent user access, will increase confidence.
“After you’ve verified that no legitimate traffic is hitting the bucket for at least a week, and you've updated all of your legacy code, then you can proceed with deleting the bucket,” the post reads.
Google reminds users that deleting a Google Cloud project also erases all resources associated with it, including buckets.
Next, proactive discovery of dangling bucket references is crucial, including analyzing logs for 404 errors and scanning codebases for outdated references.
“A high volume of failed requests to the same non-existent bucket name is a major red flag.”
Google advises scanning the codebase and documentation for any references to storage bucket names that may no longer be in use. Developers who identify a dangling bucket that they no longer own should immediately remove hardcoded references and deploy fixes to users.
“If you find a dangling bucket name that might represent a security risk to you or your clients, act fast.”
The dangling buckets that companies still own can be reclaimed by creating a new storage bucket with the same name in a secure project they control. These buckets should be locked down with restrictive IAM policies.
Google also shared detection scripts that may help developers to identify dangling buckets.
Your email address will not be published. Required fields are markedmarked