This tool can assist businesses in maintaining their confidentiality.
Researchers and red-teamers can look for “secrets” accidentally saved in publicly accessible or company-owned Amazon AWS S3 storage buckets using the new open source “S3crets Scanner” scanner. Companies frequently utilise Amazon S3 (Simple Storage Service), a cloud storage service, to store software, services, and data in bucket-like containers.
Unfortunately, businesses occasionally neglect to adequately encrypt their S3 buckets, exposing stored data to the Internet in a public manner. In the past, this kind of misconfiguration has resulted in data breaches, giving threat actors access to backups, employee or customer information, and other forms of data.
The S3 buckets may also store’secrets,’ which include authentication keys, access tokens, and API keys, in addition to application data. These files may be source code or configuration files. Threat actors may be given much wider access to other services or even the company’s corporate network if these secrets are unlawfully disclosed and made available to them.
Security researcher Eilon Harel learned that there are no tools for detecting unintentional data breaches during an exercise looking at SEGA’s recent asset exposure. As a result, he decided to build his own automated scanner and publish it as an open-source application on GitHub. Harel developed a Python utility called “S3crets Scanner” to aid in the quick identification of exposed secrets on public S3 buckets. It automatically completes the following tasks:
- Get a list of public buckets using CSPM
- Use API requests to display the bucket’s content
- Look for any exposed text files
- Download the necessary text documents
- Look for secrets in the content
- Send outcomes to SIEM
Prior to downloading the text files for the “secrets scanning” stage, the list is filtered to remove any buckets that were created with the intention of being made public.
The Trufflehog3 tool, an enhanced Go-based variation of the secrets scanner that can check for credentials and private keys on GitHub, GitLab, filesystems, and S3 buckets, will be used by the script while scanning a bucket to look at the text files’ contents.
Using a set of unique rules created by Harel that focus on the disclosure of personally identifiable information (PII) and internal access tokens, Trufflehog3 examines the files downloaded by S3crets.
The researcher thinks that “S3crets Scanner” can assist businesses in reducing the likelihood of data leaks or network breaches brought on by the disclosure of secrets by being utilised on a regular basis to scan an organization’s assets.
Additionally, the tool can be used in ethical ways, such as scanning buckets that are open to the public and alerting the owners of secrets that have been revealed before malicious parties do.