[German]CyberNews security researchers discovered a Desktop Services Store (DS_STORE) file left on a publicly accessible web server that belongs to Microsoft Vancouver. By analyzing the file, the investigations team was able to learn about the files hosted on the Microsoft Vancouver server, as well as several database dump files stored on the server. This flaw has been corrected, after CyberNews security researchers informed Microsoft.
Advertising
It's a case that shows that "the devil lies within the details". Security researchers – us at CyberNews included – routinely use search engines that index publicly accessible Internet of Things (IoT) devices and web servers for threat intelligence. This helps security researchers warn users and organizations that their data is being exposed and help them plug the leaks.
A simple Desktop Services Store (DS_STORE) file left on a publicly accessible web server from Microsoft Vancouver opened the box of pandora.
Such .DS_Store files are created when folders are accessed by macOS, according to this Wikipedia entry.
The metadata stored on the file led the researchers to several WordPress database dumps, which contained multiple administrator usernames and email addresses, as well as the hashed password for the Microsoft Vancouver website. These database dumps contained:
- multiple administrator usernames
- administrator email addresses
- the hashed password for Microsoft Vancouver's WordPress website.
as the security researchers has documented here. According to the company's website, Microsoft Vancouver is home to teams that work on developing a variety of Microsoft products, including "Notes, MSN, Gears of War, Skype, and mixed reality applications, both for desktop and HoloLens."
What's the danger of leaving DS_STORE files on web servers?
This DS_STORE file with details of what's stored on that server could lead to disastrous consequences, such as:
Advertising
- Attackers could use the exposed WordPress credentials to plant malware or ransomware on the server, which would allow them to take it hostage, exploit it further, or potentially infiltrate the network of Microsoft Vancouver.
- By getting their hands on Microsoft Vancouver's WordPress login, phishers could use the original Microsoft domain to carry out massive phishing campaigns that would bypass phishing filters. Such phishing messages would be displayed as legitimate emails coming from Microsoft. This means that there is a high possibility that most of the recipients would see them as coming from a trusted source, massively increasing the likelihood of subsequent infections.
- If Microsoft Vancouver stores any mailing lists on their website, threat actors could steal them and send out phishing emails from the same server directly to Microsoft's subscriber base, which possibly includes current Microsoft employees.
At the end of September CyberNews researchers reached out to Microsoft Canada in order to report their findings and help secure the exposed file. Since then, it took Microsoft Canada many back-and-forth emails to disable public access to the file. On December 2, the DS_STORE file was secured and is no longer leaking sensitive data. We are still waiting for their comment on this case and will update the research and inform you if that happens.
