The metadata stored on the file led the researchers to several WordPress database dumps, which contained multiple administrator usernames and email addresses, as well as the hashed password for the Microsoft Vancouver website.
Security researchers – us at CyberNews included – routinely use search engines that index publicly accessible Internet of Things (IoT) devices and web servers for threat intelligence. This helps us warn users and organizations that their data is being exposed and help them plug the leaks.
Back in September, while gathering intelligence on an IoT search engine, our security researchers stumbled upon a DS_STORE file that was apparently stored on a web server owned by Microsoft Vancouver.
Leaving DS_STORE files on remote web servers is dangerous because they display their folder structure, which may result in leaks of sensitive or confidential data. This is exactly what happened with the leftover DS_STORE file present on the Microsoft Vancouver web server.
“By analyzing the file, our Investigations team was able to learn about the files hosted on the Microsoft Vancouver server, as well as several database dump files stored on the server.“
These database dumps contained multiple administrator usernames and email addresses, as well as the hashed password for Microsoft Vancouver’s WordPress website.
According to the company’s website, Microsoft Vancouver is home to teams that work on developing a variety of Microsoft products, including “Notes, MSN, Gears of War, Skype, and mixed reality applications, both for desktop and HoloLens.”
On September 27, CyberNews researchers reached out to Microsoft Canada via their official contact email in order to report their findings and help secure the exposed file.
Unfortunately, we did not hear back from the company right away. Even though warnings from security researchers can sometimes get overlooked by large organizations, several additional emails are usually enough to break through and reach the eyes of security teams. As such, we made multiple additional attempts at contacting Microsoft via customer support email addresses and phone numbers listed on the company’s official websites.
On December 2, public access to the DS_STORE file was finally disabled and it is no longer leaking sensitive data. After the file was secured, we reached out to Microsoft for additional comment regarding the incident but have yet to hear back.
By taking a look at the leftover DS_STORE file, our security researchers could easily see the contents of the server folder, which included an SQL database, a configuration file, and a database dump file.
We also found that both the SQL database and the dump file contained WordPress database dumps, which, among other things, stored multiple administrator usernames and email addresses, as well as the hashed administrator password for Microsoft Vancouver’s WordPress website.
Shockingly, the WordPress administrator password was hashed with MD5, which has long been known as one of the least secure hashing algorithms, especially when used to store passwords. A competent bad actor could crack an MD5 hashed password in minutes and gain administrator privileges on the Microsoft Vancouver website.
Needless to say, this could lead to disastrous consequences, such as:
Whenever you create a folder on Mac OS X, the system automatically creates a .DS_Store (Desktop Services Store) file inside that folder. It stores the folder’s metadata and tells the Finder its contents, how to display icons or thumbnails, whether to show a background color in the folder window, and more.
This DS_STORE file is also invisible.
This means that if you’re a regular Mac user, you probably won’t see it. Unless you deliberately make it visible, which can be a tricky process.
According to CyberNews researcher Martynas Vareikis, this is mostly a non-issue on Mac devices, but transferring folders with DS_STORE files from Mac to a web server powered by another operating system like Windows or Linux can be dangerous.
“As an example, let’s say you use your Mac to upload a folder that contains a Pages file named ‘mybankingdetails’ to your Windows web server at https://example.com/public/. You then move the ‘bankingdetails’ file to a different folder on the server named https://example.com/personal/,” explains Vareikis.
“By reading the DS_STORE file on https://example.com/public/, a threat actor will know that it used to contain a file named ‘bankingdetails’, even though it’s not there anymore. This would make it much easier for them to guess its current location simply by entering different folder names as URLs. If they guess right, they will now have access to the file and its contents.”
Even worse, these invisible files are indexed by Google, which means that threat actors can easily find them on publicly accessible servers, as well as download and analyze them for metadata.
Eric McGee, a senior network engineer at TRGDatacenters, adds that even when these files are not indexed by Google, threat actors can “easily search through other web directories for them using /.DS_Store to see what information comes up.” They can then use the information about the contents of the folder to find and access all other files on the server if the filenames match those stored on the DS_STORE file.
“Leaving these files in the web servers increases the risk of hackers finding sensitive information about companies and websites, which they can then use for their nefarious gains,” warns McGee.
While keeping an eye on every single detail might seem like a tall order, it’s the least noticeable flaws that often cause the biggest security breaches.
William Mendez, managing director of operations at CyZen, argues that companies should do more to ensure that proper access controls are put in place. “At a minimum, any website that contains sensitive information should require a username and password, or some type of security token to access the content,” he told CyberNews.
“In addition to automatic security measures, web server admins can actively search for the DS_STORE files and remove them, or they can disable the automatic creation of such files.”
Dale Gonzalez, chief product officer at Axio, adds that instead of deploying files manually, web administrators should use deployment scripts and “make sure those scripts delete all DS_STORE files, or add cron jobs to web servers that automatically delete them.”
He also recommends choosing file transfer methods that do not copy hidden files, although this can sometimes cause problems because “Apache config files like .htaccess would be ignored too, and would have to be handled with a special case.”
Lastly, Gonzalez believes that slashing the number of files on web servers to a minimum is a must. “Your web-server is probably not a Mac. Therefore, you don’t need these files,” he told CyberNews.
“Generally speaking, your web server should have on it as few files as necessary to support the website. If a file stored in the folders being served to visitors doesn’t support the website, it is at best taking up space, and at worst is a security hole,” Gonzales concludes.
About the author: CyberNews Team
(SecurityAffairs – hacking, Microsoft Vancouver)