Site icon TechNewsBoy.com

Microsoft error could open the door to the most damaging phishing scam to date

A Desktop Service Store (DS_STORE) file was left sitting on a publicly accessible web server belonging to Microsoft Vancouver in a significant security failing for the company, reports have claimed.

Had the file fallen into the hands of malicious actors, it could have been used for cyberattacks or malware distribution all over the web, as it stores metadata leading to WordPress database dumps, administrator usernames and email addresses, as well as hashed passwords for the Microsoft Vancouver website.

The vulnerability was spotted by cybersecurity researchers from CyberNews in September 2021, who, while investigating an underground Internet of Things (IoT) search engine, stumbled upon the DS_STORE file.

Security fail

These types of files should be heavily guarded, CyberNews says, as they display their folder structure, which could result in leaks of sensitive or confidential data. 

This particular DS_STORE file allowed the researchers to easily see the contents of the server folder, which included an SQL database, a configuration file, and a database dump file. The researchers also found that both the SQL database and the dump file, contained WordPress database dumps that stored numerous admin login credentials, and the hashed admin password for Microsoft Vancouver’s WordPress website.

Microsoft slow to respond

The password itself was hashed with MD5, which CyberNews says has “long been known as one of the least secure hashing algorithms”, especially for passwords. A skilled malicious actor would make quick work of such passwords and would be moving through the WordPress site as an administrator in no time. 

To make matters worse, it took “weeks” for CyberNews to get a response from Microsoft, and since taking notice, the company took almost a month to fix the issue. The researchers said they were forced to nudge Microsoft over official contact emails, phone numbers, as well as customer support emails, just to be noticed. 

Still, the issue seems to have been resolved. 

Microsoft Vancouver is the company’s office in which different teams work on products such as Notes, MSN, Skype, the Gears of War game, as well as multiple mixed reality applications for both desktop and HoloLens.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version