Universal Bucket Hijacking Technique Exploits Global Namespace in Major Cloud Providers
Unit 42 researchers disclosed a bucket hijacking technique that exploits globally unique bucket names across AWS, Azure, and Google Cloud to silently reroute data streams to attacker-controlled storage.
Unit 42 researchers have disclosed a novel bucket hijacking technique that exploits a fundamental architectural flaw in major cloud service providers (CSPs), enabling attackers to silently reroute sensitive data streams to external storage. The attack, detailed in a June 22 report, targets the global uniqueness of bucket names in services like AWS S3, Azure Blob Storage, and Google Cloud Storage. By deleting a target bucket and recreating it under their own account with the same name, attackers can intercept logs, telemetry, and other automated data streams without exploiting a specific software vulnerability.
The technique leverages the fact that bucket names are globally unique across each cloud provider, meaning no two users can have the same bucket name. This design simplifies data stream configuration but ties the destination's identity solely to its name rather than to an immutable account owner. Combined with permissions to delete and recreate buckets, an attacker who compromises a cloud environment can redirect data streams by deleting the original bucket and immediately recreating it in their own account. The required permissions include storage.objects.delete and storage.bucket.delete in Google Cloud, with analogous permissions in AWS and Azure.
Unit 42 simulated the attack in Google Cloud Logging, demonstrating how a sink routing logs to a cloud storage bucket could be hijacked. After deleting the original bucket and recreating it in an attacker-controlled project, logs were successfully routed to the external bucket, allowing the attacker to exfiltrate extensive information about the compromised environment. The researchers also confirmed the technique's applicability to other Google Cloud services, including Pub/Sub and Storage Transfer Service, indicating a systemic risk across multiple data streaming services.
The attack's impact is broad, as automated data streams are critical for routing, processing, and backing up data within an organization's infrastructure. Examples include cloud logging sinks in Google Cloud and bucket replication in AWS. By rerouting these streams, attackers can exfiltrate sensitive data such as audit logs, customer information, and intellectual property. The technique is particularly dangerous because it does not require exploiting a software vulnerability, making it difficult to detect with traditional security tools.
Unit 42 has shared their findings with Google Cloud, Amazon Web Services, and Microsoft Azure. While no real-world exploitation has been observed, the researchers anticipate that real-world attempts would be hard to detect. They recommend organizations take proactive steps to mitigate the risk, such as implementing bucket naming conventions with unique identifiers, using immutable storage policies, and monitoring for unauthorized bucket deletions or creations. Palo Alto Networks customers are protected through Cortex Cloud and Unit 42 Cloud Security Assessment services.
This discovery highlights a growing class of attacks that exploit cloud infrastructure design patterns rather than software bugs. As organizations increasingly rely on automated data streams for logging, replication, and analytics, the global namespace risk becomes a critical concern. The technique underscores the need for cloud providers to consider account ownership in addition to name uniqueness when routing data, and for organizations to adopt defense-in-depth strategies that include strict IAM policies, bucket versioning, and anomaly detection.