Hackers are exploiting misconfigured cloud storage buckets to steal sensitive data or use them to distribute malware. Google has released best practices to help prevent dangling bucket takeovers and is urging developers to strengthen the security of their cloud environments.
Google is warning about dangling bucket attacks, which occur when a storage bucket is deleted but its references remain in application code, mobile apps, public documentation, or other locations.
According to the tech giant, attackers can register the same bucket name in their own project, effectively taking over the old address to deliver malware or steal data from users who unknowingly continue to access a bucket that is no longer officially maintained.
Google recommends a thorough decommissioning process for this type of cloud storage and has outlined four key steps to secure dangling buckets.
The first step, before deleting any bucket, is for cloud administrators to identify who and what is still accessing it.
Access logs can reveal recent activity, and if requests are coming from outdated app versions, third-party services, or users, they should be reviewed. Requests from bots, crawlers, or scanners can generally be ignored.
Google also emphasise the need to closely monitor any attempts to retrieve executable code, machine learning models, dynamic web content (such as JavaScript), or sensitive configuration files.
The second step, Google advises to wait at least a week before deleting the bucket. This allows time to observe the full cycle of activity, including weekly reports, batch jobs, and occasional user access, which helps ensure nothing important is still using it.
Once you’ve confirmed there’s been no legitimate traffic for at least a week and all legacy code has been updated, you can safely delete the bucket.
Google also notes that deleting a Google Cloud project will automatically remove all associated resources, including storage buckets.
Google emphasizes the importance of proactively finding dangling bucket references by reviewing logs for 404 errors and scanning code bases for outdated links.
A high volume of failed requests to the same non-existent bucket name should be treated as a serious warning sign. Developers are advised to search their code and documentation for any storage bucket names that may no longer be active. If a dangling bucket is found and is no longer owned, all hardcoded references should be removed, and updates should be pushed to users immediately.
For dangling buckets that an organization still owns, Google recommends reclaiming them by creating a new storage bucket with the same name in a secure project under their control, then applying strict IAM policies to restrict access.
Google has also provided detection scripts to help developers identify potential dangling buckets more efficiently.