Dec 09 2021

Microsoft Vancouver leaking website credentials via overlooked DS_STORE file

Category: Web SecurityDISC @ 9:36 am

The metadata stored on the file led the researchers to several WordPress database dumps, which contained multiple administrator usernames and email addresses, as well as the hashed password for the Microsoft Vancouver website.

Security researchers – us at CyberNews included – routinely use search engines that index publicly accessible Internet of Things (IoT) devices and web servers for threat intelligence. This helps us warn users and organizations that their data is being exposed and help them plug the leaks.

Back in September, while gathering intelligence on an IoT search engine, our security researchers stumbled upon a DS_STORE file that was apparently stored on a web server owned by Microsoft Vancouver.

Leaving DS_STORE files on remote web servers is dangerous because they display their folder structure, which may result in leaks of sensitive or confidential data. This is exactly what happened with the leftover DS_STORE file present on the Microsoft Vancouver web server.

By analyzing the file, our Investigations team was able to learn about the files hosted on the Microsoft Vancouver server, as well as several database dump files stored on the server.

These database dumps contained multiple administrator usernames and email addresses, as well as the hashed password for Microsoft Vancouver’s WordPress website.

According to the company’s website, Microsoft Vancouver is home to teams that work on developing a variety of Microsoft products, including “Notes, MSN, Gears of War, Skype, and mixed reality applications, both for desktop and HoloLens.”

On September 27, CyberNews researchers reached out to Microsoft Canada via their official contact email in order to report their findings and help secure the exposed file.

Unfortunately, we did not hear back from the company right away. Even though warnings from security researchers can sometimes get overlooked by large organizations, several additional emails are usually enough to break through and reach the eyes of security teams. As such, we made multiple additional attempts at contacting Microsoft via customer support email addresses and phone numbers listed on the company’s official websites.

On December 2, public access to the DS_STORE file was finally disabled and it is no longer leaking sensitive data. After the file was secured, we reached out to Microsoft for additional comment regarding the incident but have yet to hear back.

What’s in the file?

Exploitation and Countermeasures for Modern Web Applications

Tags: Web Application Security, website credentials

Leave a Reply

You must be logged in to post a comment. Login now.