Aw, not you too, Verizon: US telco joins list of leaky AWS S3 buckets

Now is a good time to go check your own Amazon settings. It's OK, we'll wait

By Shaun Nichols in San Francisco


Yet another major company has burned itself by failing to properly secure its cloud storage instances. Yes, it's Verizon.

Researchers with Kromtech Security say they were able to access an AWS S3 storage bucket that contained data used by the US telco giant's billing system and the Distributed Vision Service (DVS) software that powers it.

"DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data," Kromtech revealed today.

"Although no customers data are involved in this data leak, we were able to see files and data named 'VZ Confidential' and 'Verizon Confidential', some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure."

The researchers also say they were able to retrieve a number of Outlook messages, router host information, and "B2B payment server names and info."

The insecure instance, which had been configured to allow anyone on the internet to access, was closed after Kromtech reported the issue to Verizon.

As with previous S3 misconfigurations, this one seems to be down to human error, rather than any technical failings on the part of Verizon or AWS: we're told it was rather the result of someone forgetting to disable public access.

"Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st," said the Kromtech team.

"Shortly after that, online archive has been took down and it has been later confirmed that the bucket was self-owned by Verizon Wireless engineer and it did not belong or managed by Verizon."

Verizon did not return a request for comment on the report.

This is not the first biz Kromtech researchers have spotted keeping confidential data in an insecure storage bucket. In recent months, the company has spotted vulnerable bins run by the likes of Time Warner Cable, and hotel booking company Bookzie. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Verizon commits to AWS after buying and selling its own cloud

Can anyone catch the big three (plus Oracle and IBM?)

Oh, Bucket! AWS in S3 status-checking tool free-for-all

'Your data is waiting for the internet to download it' warning lights are now free

Millions of scraped public social net profiles left in open AWS S3 box

Poorly configured cloud buckets strike again – this time, Localbox fingered

AWS elbows Google Cloud aside in fight for SAP HANA customers

My box is bigger than your box

14 million Verizon subscribers' details leak from crappily configured AWS S3 data store

Updated US telco giant insists only infosec bods saw the info

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

AWS comes up with blanket policies to smother public-facing cloud silos

When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo

Passport scans, drivers licenses, etc, exposed online

AWS users felt a great disturbance in the cloud, as S3 cried out in terror

S3izure made things tricky for an hour, but was no apocalypS3 to match March mess

When is a Barracuda not a Barracuda? When it's really AWS S3

Now you can replicate backups to Barracuda's actually-Amazonian cloud