Facebook records exposed on AWS cloud server lead to more navel-gazing over shared responsibility

Researchers at security firm UpGuard have disclosed two separate instances of Facebook user data being exposed to the public internet – and it again asks questions of the strategy regarding cloud security and shared responsibility.

The story, initially broken by Bloomberg, noted how one dataset, originating from Mexico-based Cultura Colectiva, contained more than 540 million records detailing comments, likes, reactions, and account names among others. The second, from a now-defunct Facebook-integrated app called ‘At the Pool’, contained plaintext passwords for 22,000 users.

UpGuard said that the Cultura Colectiva data was of greater concern in terms of disclosure and response. The company sent out its first notification email to the company on January 10 this year, with a follow-up email being sent four days later – to no response. Amazon Web Services (AWS), on which the data was stored, was contacted on January 28, with a reply arriving on February 1 informing that the bucket’s owner was made aware of the exposure.

Three weeks later, however, the data was still not secured. A further email from UpGuard to AWS was immediately responded to. Yet according to the security researchers, it was ‘not until the morning of April 3, after Facebook was contacted by Bloomberg for comment, that the database backup, inside an AWS S3 storage bucket titled ‘cc-datalake’, was finally secured.’

So whither both parties? For Facebook, this can be seen as another blow, as UpGuard explained. “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,” the company said.

“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today,” UpGuard added. “Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

As far as AWS is concerned, this is again not their first rodeo in this department. But the question of responsibility, as this publication has covered on various occasions, remains a particularly thorny one.

Stefan Dyckerhoff, CEO at Lacework, a provider of automated end-to-end security across the biggest cloud providers, noted that organisations needed to be more vigilant. “Storing user data in S3 buckets is commonplace for every organisation operating workloads and accounts in AWS,” said Dyckerhoff. “But as the Facebook issue highlights, they can inadvertently be accessible, and without visibility and context around the behaviour in those storage repositories, security teams simply won’t know when there’s a potential vulnerability.”

This admittedly may be a stance easier said than done given the sheer number of partners either building apps on the biggest companies’ platforms or using their APIs – many of whom may no longer exist. Yet it could be argued that of a shared responsibility, both parties may be missing the mark. “At issue is not [the] S3 bucket, but how it’s configured, and the awareness around configuration changes – some of which could end up being disastrous,” added Dyckerhoff.

In February, Check Point Software found that three in 10 respondents to its most recent security report still affirmed that security was the primary responsibility of the cloud service provider. This concerning issue is one that the providers have tried to remediate. In November AWS announced extra steps to ensure customers’ S3 buckets didn’t become misconfigured, having previously revamped its design to give bright orange warning indicators as to which buckets were public.

Writing for this publication in August, Hatem Naguib, senior vice president for security at Barracuda Networks, outlined the rationale. “Public cloud customers need to become clearer on what their responsibility is for securing their data and applications hosted by public cloud providers,” Naguib wrote. “Their platforms are definitely secure and migrating workloads into the cloud can be much more secure than on-premise data centres – however organisations do have a responsibility in securing their workloads, applications, and operating systems.”

You can read the full UpGuard post here.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.