Passwords to data stored in the cloud are easy to discover using Google Code Search

Access codes and secret passwords for thousands of users’ cloud services can be easily found using Google Code Search, security researchers say.

Researchers at Stach & Liu, a security company that develops hacking tools for Google, were the first to reveal the results of their cloud services research at the Hacker Halted conference in Miami last month. Researchers are currently advising companies that plan to store critical information in the public cloud not to do so.

“It’s not a good idea to bring sensitive information into the cloud, at least until intrusion detection systems are built that allow users to see them in their cloud services,” says Fran Brown, chief executive of Stach & Liu. "Companies strive for functionality, but they forget about risk".

In his online presentation, Brown showed how a hacker familiar with the workings of Google and the simple facts about identifying cloud services can easily obtain the access codes and passwords needed to unlock data stored in public cloud services like Amazon EC3.

Such data is typically stored by application https://bk8-casino.co.uk/ developers and system administrators, who are unaware that simple text files can be indexed by search engines and discovered through a simple Google search, Brown said.

“We found thousands of passwords stored this way that could be used to control a computer in the cloud, shut it down, or attack other computers on the same service,” he says.

The problem, according to Stach & Liu, is not with the service provider, it is with developers and administrators storing critical information in text files and applications that could be compromised. “All you have to do is hire an irresponsible developer who writes passwords into a text file and you’re in great danger,” Brown said.

Stach & Liu has developed a cloud hacking tool – the second tool after Diggity, which was introduced in July at Black Hat USA – that searches for critical data using a simple Google code search.

While cloud identity services require entering a lot of information to gain access to stored data, Stach & Liu were able to find all the data to gain access to corporate data stored in the cloud, Brown said.

Often, cloud service agreements contain a clause that exempts the provider from liability for such data leaks, Brown continues. “If you look at the agreements more carefully, you will see that the provider does not guarantee that the data stored on the service is secure,” he says. “The security industry needs to think about how to work with cloud service providers, including Amazon.”.

In its presentation, Stach & Liu also introduced several other Google utilities, including tools that detect viruses and vulnerabilities in Flash files and applications that prevent data leaks.

"Flash files pose another threat," Brown said. “It’s very easy to find password pages if the site uses Flash, copy them and find vulnerabilities”. In his presentation, Brown was able to access one of the accounts in 30 seconds using Google.