In the recent months we have seen much media coverage over S3 bucket leaks, where developers and organisations have forgotten to check the Access-Control-List’s (ACLs) that protect the authorisation of whom can access the data stored within these particular cloud containers. This has lead to some embarrassing moments for both Governments and Private companies.

Most of the tools out there are currently configured to only scan Amazon S3! and we at Netscylla thought, why not Google?

Google’s buckets are typically secure by default! Developers / administrators need to manually add the ‘allUsers’ group to ‘Storage View’ (or more dangerously read&write) permissions. But from experience we know that during testing or development, security settings are often relaxed to help speed up progress; this can lead to mistakes, where weak permissions or overly open ACLs are left in place on Storage Buckets, when they should have been locked-down or removed!

Today, Netscylla release GBucketDump, its a small fork of the original code AWSBucketDump from Jordan Potti (

How To Run GBucketDump

The code runs in exactly the same way you would run Jordan’s AWSBucketDump. We also added in a flag (-o) to specify an organisation name, should you wish to target and enumerate possible Google Buckets for your company or educational institution:

$ python ./ -h
usage: [-h] [-o ORGANISATION] [-D] [-d SAVEDIR] -l HOSTLIST
optional arguments:
-h, — help show this help message and exit
-o ORGANISATION target an organisation
-D Download files. This requires significant diskspace
-d SAVEDIR if -D, then -d 1 to create save directories for each bucket
with results.
-g GREPWORDS Provide a wordlist to grep for
-m MAXSIZE Maximum file size to download.
-t THREADS thread count.

Example Output

Below is a brief example, of enumerating a public bucket (now destroyed) that Netscylla created for the purpose of testing the code:

$ python ./ -l netscylla.txt -g interesting_Keywords.txt -m 500000 -d out -D -t 5
Downloads enabled (-D), and save directories (-d) for each host will be created/used
local out/
local out/ is not accessible is not accessible is not accessible
Finshed enumeration. Starting Download...
Cleaning Up Files


The code has been released as open-source, for educational purposes only:

Check Your Storage Permissions

Check your permissions by visiting the following URL:

And Click ‘Edit Bucket Permissions’ to review the Users, Groups and ACL’s applied to your buckets.

Just like AWS it is important to remember the what the following two accounts actually mean:

  • allUsers = everyone with anonymous access
  • allAuthenticatedUsers = everyone with a Google Account


Share on: