Cloud storage rarely leaks because a bucket was set to public. It leaks because of the signed URL — the SAS token, the presigned link, the short-lived credential that was convenient once and never thought about again.
<h2>The Quiet Failure Mode</h2>
A frontend needs to show a file, so an endpoint mints a signed URL on demand. Reasonable. The questions that decide whether it is safe almost never get asked:
<ul>
<li>Is the signature scoped to one object, or the whole container?</li>
<li>Is it read-only, or does it carry write and list permission?</li>
<li>Does the endpoint that mints it require authentication — or will it sign any path a caller asks for?</li>
</ul>
Get those wrong and a single unauthenticated request becomes a key to everything in the account.
<blockquote>
"A credential you cannot enumerate is still a credential. An attacker only needs the ones they can."
</blockquote>
<h2>What a Review Looks For</h2>
We parse every signed URL an application issues — scope, permission set, lifetime — and we test the minting endpoint itself, not just the file it returned. The dangerous finding is rarely the file you were shown. It is the one the token would also have unlocked.
Cryptex Labs reviews cloud storage the way an attacker reads it: as a set of credentials in motion, not a list of buckets at rest.

Token Sprawl: The Keys You Forgot You Handed Out

The Quiet Failure Mode

What a Review Looks For