Microsoft error could open the door to the most damaging phishing scam to date

News
By
published

A DS_STORE file was left open on a Microsoft-owned web server

An abstract image of digital security.
(Image credit: Shutterstock)

A Desktop Service Store (DS_STORE) file was left sitting on a publicly accessible web server belonging to Microsoft Vancouver in a significant security failing for the company, reports have claimed.

Had the file fallen into the hands of malicious actors, it could have been used for cyberattacks or malware distribution all over the web, as it stores metadata leading to WordPress database dumps, administrator usernames and email addresses, as well as hashed passwords for the Microsoft Vancouver website.

The vulnerability was spotted by cybersecurity researchers from CyberNews in September 2021, who, while investigating an underground Internet of Things (IoT) search engine, stumbled upon the DS_STORE file.

Security fail

These types of files should be heavily guarded, CyberNews says, as they display their folder structure, which could result in leaks of sensitive or confidential data. 

This particular DS_STORE file allowed the researchers to easily see the contents of the server folder, which included an SQL database, a configuration file, and a database dump file. The researchers also found that both the SQL database and the dump file, contained WordPress database dumps that stored numerous admin login credentials, and the hashed admin password for Microsoft Vancouver’s WordPress website.

Microsoft slow to respond

The password itself was hashed with MD5, which CyberNews says has “long been known as one of the least secure hashing algorithms”, especially for passwords. A skilled malicious actor would make quick work of such passwords and would be moving through the WordPress site as an administrator in no time. 

To make matters worse, it took “weeks” for CyberNews to get a response from Microsoft, and since taking notice, the company took almost a month to fix the issue. The researchers said they were forced to nudge Microsoft over official contact emails, phone numbers, as well as customer support emails, just to be noticed. 

Still, the issue seems to have been resolved. 

Microsoft Vancouver is the company’s office in which different teams work on products such as Notes, MSN, Skype, the Gears of War game, as well as multiple mixed reality applications for both desktop and HoloLens.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
OneDrive on a Laptop
Microsoft One Drive for Business might not be storing your data as securely as you might hope
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
hacker.jpeg
Thousands of GitHub repositories exposed via Microsoft Copilot
Data leak
Details of over 15,000 FortiGate devices leaked online, so be on your guard
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Latest in News
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
Web DDoS attacks see major surge as AI allows more powerful attacks
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger
More about security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.

US set to pause cyber-offensive operations against Russia - but CISA says it won't stop

Web DDoS attacks see major surge as AI allows more powerful attacks
iPad Air M3

Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
See more latest
Most Popular
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
Building the Lego Beauty and the Beast Castle
Another iconic Disney Castle is getting the Lego treatment, and this one roars
TSMC
TSMC announces huge US investment to boost AI development
Peak Design Roller Pro roller case on the floor of luxury airport, opened out
I’ve been using Peak Design’s innovative new Roller Pro for weeks, and it’s my new go-to carry-on case for travel – here’s why
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
A D-pad in the PlayStation Plus logo
Sony is now issuing PS Plus compensation following the recent PSN outage
Princess Tiana holding a frog in her hand and smiling in The Princess and the Frog.
Disney+ reportedly cancels plans to make an offshoot series of The Princess and the Frog, and that’s not the only streaming project it’s abandoning
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Two hands holding the Tecno Spark Slim phone
The world’s thinnest phone was just revealed, but a new iPhone 17 Air leak suggests it could be even slimmer