it

Leaky Bucket: Full Attack Chain Against Public S3-Compatible Buckets in Yandex Cloud

Published: (December 10, 2025 at 09:03 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

Cover image for Leaky Bucket: Full Attack Chain Against Public S3-Compatible Buckets in Yandex Cloud

🛑 Disclosure: A lightweight proof‑of‑concept (PoC) tool was developed by hackteam.red for internal red‑team and authorized penetration testing. The PoC will not be released publicly, but it is actively used to assess Yandex Cloud Object Storage configurations for clients who explicitly permit such testing.

Overview

Yandex Cloud provides an S3‑compatible Object Storage service that allows customers to host static websites via public endpoints such as:

http://<bucket>.website.yandexcloud.net

While convenient, misconfigurations can lead to unintended public exposure of sensitive documentation, internal architecture details, source code, or configuration files. Unlike AWS S3 buckets, Yandex Cloud buckets have historically received less automated scanning, making them attractive for reconnaissance and exploitation.

Full Attack Chain

1. Initial Discovery via Google Dorks

A basic Google search can reveal publicly accessible buckets:

allinurl:.website.yandexcloud.net

Examples found

  • 1cgencode.website.yandexcloud.net – “Developer Tools for 1C”
  • devops-pilot-competencies.website.yandexcloud.net – Yandex Cloud training materials
  • b3-website.website.yandexcloud.net – Waste management SaaS platform
  • transrussia.ru.website.yandexcloud.net – TRANSeuropa logistics expo

These results confirm bucket existence and provide business context.

2. Automated Enumeration with httpx

Filter discovered names for HTTP 200 responses:

cat buckets.txt | httpx -silent -status-code -mc 200 -o live-buckets.txt

Only truly public buckets are retained for further testing.

3. Wordlist Expansion & Brute‑Forcing with ffuf

Create a context‑aware wordlist combining:

  • Top Russian companies (sberbank, ozon, 1c, bitrix24)
  • DevOps terms (prod, staging, backup, tfstate, config)
  • Observed patterns (mitt, karta, safelist)

Run a targeted brute‑force scan:

ffuf -w expanded-wordlist.txt \
     -u "http://FUZZ.website.yandexcloud.net" \
     -mc 200 -t 10 -p 0.8

This often uncovers additional buckets not indexed by Google.

4. Sensitive Path Fuzzing

For each confirmed bucket, fuzz for high‑risk paths such as:

/.git/HEAD
/.env
/backup.zip
/terraform.tfstate
/config.js
/id_rsa
/aws-keys.txt
/yc-keys.txt
/robots.txt
/sitemap.xml

Use ffuf or a custom script with rate‑limiting to avoid IP bans. A 200 OK response indicates potential data exposure.

Example: robots.txt may leak internal paths:

Disallow: /ru/exhibit/conference-zal/
Disallow: /ru/media/news/.../registraciya-posetitelej-otkryta-transrussia

These reveal hidden functionality and event structures.

5. JS/HTML Secret Hunting

Search public JavaScript and HTML files for secrets:

curl -s http://bucket.website.yandexcloud.net/ | \
  grep -E "(yc|aws|key|token|secret|accessId)"

While no live secrets were found in our scans, hard‑coded endpoints and internal service names were frequently present, enriching the target map.

6. Exploitation Scenarios

FindingImpact
.git/HEADFull source code recovery via git-dumper
terraform.tfstateFull infrastructure state, including IAM keys
yc-keys.txtDirect access to Yandex Cloud APIs
backup.zipHistorical snapshots, credentials, PII
Internal paths from robots.txtAttack surface expansion

Even without direct secrets, the gathered intelligence can be used to:

  • Craft targeted phishing lures
  • Map internal architecture
  • Plan lateral movement in cloud environments

Recommendations

For Yandex Cloud Users

  • Never upload .git, terraform.tfstate, .env, or backups to public buckets.
  • Use separate private buckets for build artifacts and logs.
  • Review all files before enabling Static Website Hosting.
  • Consider a restrictive robots.txt that disallows all non‑essential paths.

For Yandex Cloud Platform

  • Enable automatic scanning of Object Storage buckets for sensitive patterns (keys, .git, tfstate).
  • Add warnings when “Static Website” is enabled on a bucket.
  • Enforce “Block Public Access” at the account level (similar to AWS).
  • Prevent uploads of known‑sensitive files (e.g., .git) to publicly accessible buckets.

DSPM (Data Security Posture Management) is a powerful tool—ensure it is applied to publicly accessible buckets.

Conclusion

Yandex Cloud’s Object Storage is robust and developer‑friendly, but security remains a shared responsibility. Simple, low‑cost reconnaissance and targeted fuzzing can uncover valuable organizational intelligence and, in misconfigured environments, lead to full system compromise. This research was conducted strictly within authorized penetration testing bounds. Our internal leaky-bucket scanner remains closed‑source and is used only with explicit client permission.

References

📢 Note: If you’re a Yandex Cloud customer and want to test your buckets for exposure, contact a certified penetration testing provider — do not scan without authorization.

Back to Blog

Related posts

Read more »