The failure, which UpGuard said exposed secret application processing interface (API) data, authentication credentials, certificates, decryption keys, customer information, and more data, was discovered on 17 September.
UpGuard director of cyber risk research, Chris Vickery, discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. The buckets were titled “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl”.
The data that could have been used to attack both Accenture and its clients was safe the day after the corporate consulting and management firm was alerted about the flaw.
All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform.
According to UpGuard’s announcement, one of the buckets, called “acp-deployment” appears to be largely devoted to storing internal access keys and credentials for use by the Identity API, which is apparently used to authenticate credentials.
This specific bucket contained a folder titled “Secure Store”, which had not only configuration files for the Identity API, but also a plaintext document containing the master access key for Accenture’s account with AWS’s Key Management Service.
Still within “acp-deployment” there were several client.jks files stored in some cases alongside what UpGuard believe to be the plaintext password necessary to decrypt the file.
“It is unknown precisely what the keys in clients.jks could be used to access. Private signing keys were also exposed within these files - placing a critical tool in the hands of anyone who encountered them,” UpGuard wrote.
According to UpGuard, the acpcollector bucket contains data into Accenture’s cloud stores and its maintenance. The acp.software bucket is believed to contain large data dumps due to its 137 GB size. The information could include credentials for some Accenture’s clients.
Other key information such as 40,000 plaintext passwords could be found in the bucket.
There were also data dumps from the Zenoss event tracker used by Accenture, revealing such incidents as the adding of new users, recording of IP addresses, and JSession IDs which, if not expired, could be plugged into cookies to gain entry past authentication portals. UpGuard’s examination revealed a number of Accenture clients recorded in this manner.
According to UpGuard “this cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences”.