Security researchers at CyberNews have unearthed a Desktop Service Store (DS_STORE) file which was openly available on a web server belonging to Microsoft from Vancouver, Canada.
The dumped database included usernames and e-mail addresses of administrators, as well as passwords in the hash format used in the WordPress systems operated by the firm on its official pages. Folder lists, including content management platform databases, were also available.
The passwords discovered were in an insecure format, MD5, which could be easily cracked by a skilled malicious actor. With full credentials, the malicious hackers would have secured access to the firm’s website systems, which could be used to perform phishing attacks or deploy the malicious files on Microsoft’s own servers, researchers explained.
The DS_STORE file is responsible for storing folder attributes on MacOS and was discovered in September 2021, during routine scans carried out by the researchers for unprotected Internet of Things servers and devices.
Unfortunately, it took weeks for CyberNews to get a response from Microsoft, and after taking notice, the firm took almost a month to patch the vulnerability. The researchers said they made multiple attempts at contacting Microsoft over official contact emails, phone numbers, as well as customer support emails, just to be noticed.
According to security researchers, exploits from DS_STORE files can often go unnoticed by users. On macOS, this is a hidden file, but it ends up showing up when data is transferred to a Windows or Linux server or device; as it carries with it the information from the original folder, it would be possible, from the metadata, to obtain the location of the files or information about their content, as well as other folders that may also be public for access.
These types of files should be heavily guarded, as they display their folder structure, which could result in leaks of sensitive or confidential data, researchers added.
William Mendez, managing director of operations at CyZen, believes that organizations should put more effort to ensure that proper access controls are in order. “At a minimum, any website that contains sensitive information should require a username and password, or some type of security token to access the content,” he told CyberNews.