Blog: Data leak via exposed .DS_Store files

Intro / TLDR;

With our scanner we scanned over 2.6 million domains for exposed .DS_Store files. We found 8500 .DS_Store files. With data extracted from these files we were able to find hidden configuration files, database dumps, private keys, source code and "hidden" admin panels.

Public .DS_Store file

What are .DS_Store files?

.DS_Store files are hidden files, which are automatically created by the Finder (file browser of Apple macOS) in Apple macOS (formerly OS X). These files are hidden in the file system and are not displayed in the Finder (like the file explorer on Windows systems). DS_Store stands for Desktop Service Store. In this file settings for folder view, icon positions etc. are stored. On Windows operating systems the .DS_Store file can be compared with the also hidden desktop.ini.

The .DS_Store file can also list the contents of the folder (file or folder names). .DS_Store files are binary files and cannot be read directly by humans. However, there are tools that can extract the data they contain.

Where is the data leak with .DS_Store files?

If such .DS_Store files are copied on a web server, they can be read and analysed. File and folder names are stored in the .DS_Store file, often these files and folders are not meant to be public.

The .DS_Store file can be easily accessed. For example: https://example.com/.DS_Store

If you find a filename database_dump.sql in the .DS_Store file you can try an access https://example.com/database_dump.sql, and you can download a database dump.

Most of the time, the hidden files are automatically uploaded to the web server by the tool used to develop and deploy the website.

Prominent example: Microsoft Vancouver

In the fall of 2021, security researchers from CyberNews, found a .DS_Store file on a Microsoft Vancouver web server. Based on the contents of this file, database dumps could be downloaded from the server. These database dumps contained usernames, email addresses and password hashes of various employees.

Stats from the scan

We found:

  • Domains with .DS_Store files: 8'462
  • Different file and folder names extracted from the .DS_Store files: 19'266
  • About 40% of the files and folders are freely accessible

Analogous to the above example with Microsoft, we found 10 database dumps with usernames and password hashes. The most explosive discovery is probably the database dump of a child and adult protection authority. Other sensitive discoveries were, for example, configuration files, SSL certificates, source code or "pseudo-hidden" admin panels.

Take away

Do not upload the .DS_Store file to the production web server. Or configure the webserver that it does not deliver .DS_Store files.

You can protect yourself from accidentally make the .DS_Store files public by scanning your systems with nuclei a corresponding template, or you can use a service like this to automate the scan for all your subdomains.

register now

Secure .DS_Store file