Microsoft error could open the door to the most damaging phishing scam to date

News
By published

A DS_STORE file was left open on a Microsoft-owned web server

An abstract image of digital security.
(Image credit: Shutterstock)

A Desktop Service Store (DS_STORE) file was left sitting on a publicly accessible web server belonging to Microsoft Vancouver in a significant security failing for the company, reports have claimed.

Had the file fallen into the hands of malicious actors, it could have been used for cyberattacks or malware distribution all over the web, as it stores metadata leading to WordPress database dumps, administrator usernames and email addresses, as well as hashed passwords for the Microsoft Vancouver website.

The vulnerability was spotted by cybersecurity researchers from CyberNews in September 2021, who, while investigating an underground Internet of Things (IoT) search engine, stumbled upon the DS_STORE file.

Security fail

These types of files should be heavily guarded, CyberNews says, as they display their folder structure, which could result in leaks of sensitive or confidential data. 

This particular DS_STORE file allowed the researchers to easily see the contents of the server folder, which included an SQL database, a configuration file, and a database dump file. The researchers also found that both the SQL database and the dump file, contained WordPress database dumps that stored numerous admin login credentials, and the hashed admin password for Microsoft Vancouver’s WordPress website.

Microsoft slow to respond

The password itself was hashed with MD5, which CyberNews says has “long been known as one of the least secure hashing algorithms”, especially for passwords. A skilled malicious actor would make quick work of such passwords and would be moving through the WordPress site as an administrator in no time. 

To make matters worse, it took “weeks” for CyberNews to get a response from Microsoft, and since taking notice, the company took almost a month to fix the issue. The researchers said they were forced to nudge Microsoft over official contact emails, phone numbers, as well as customer support emails, just to be noticed. 

Still, the issue seems to have been resolved. 

Microsoft Vancouver is the company’s office in which different teams work on products such as Notes, MSN, Skype, the Gears of War game, as well as multiple mixed reality applications for both desktop and HoloLens.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
OneDrive on a Laptop
Microsoft One Drive for Business might not be storing your data as securely as you might hope
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
hacker.jpeg
Thousands of GitHub repositories exposed via Microsoft Copilot
Latest in Security
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
More about security
Representational image depecting cybersecurity protection

Third-party security issues could be the biggest threat facing your business
Android Logo

Devious new Android malware uses a Microsoft tool to avoid being spotted
Garmin clippd integration

Garmin's golf watches just got a big software integration upgrade to help you improve your game
See more latest
Most Popular
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Nissan 2026 line-up
Nissan is back to its bold best with new EV lineup that's led by a third-generation Leaf – and yes, it's an SUV
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
Image of Naoe in AC Shadows
Assassin's Creed Shadows best graphics settings for PS5, PS5 Pro, and Xbox Series X
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
Promotional image for Malcolm in the Middle featuring the original cast playing golf
Malcolm in the Middle's Disney+ revival gets underway as the series finds its cast – here's which characters are returning
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch