1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft error could open the door to the most damaging phishing

    From TechnologyDaily@1337:1/100 to All on Wed Dec 8 16:45:04 2021
    Microsoft error could open the door to the most damaging phishing scam to date

    Date:
    Wed, 08 Dec 2021 16:24:28 +0000

    Description:
    DS_STORE files display their folder structure, which could result in leaks of sensitive or confidential data.

    FULL STORY ======================================================================

    A Desktop Service Store (DS_STORE) file was left sitting on a publicly accessible web server belonging to Microsoft Vancouver in a significant security failing for the company, reports have claimed.

    Had the file fallen into the hands of malicious actors, it could have been used for cyberattacks or malware distribution all over the web, as it stores metadata leading to WordPress database dumps, administrator usernames and email addresses , as well as hashed passwords for the Microsoft Vancouver website.

    The vulnerability was spotted by cybersecurity researchers from CyberNews in September 2021, who, while investigating an underground Internet of Things (IoT) search engine, stumbled upon the DS_STORE file. Security fail

    These types of files should be heavily guarded, CyberNews says, as they display their folder structure, which could result in leaks of sensitive or confidential data.

    This particular DS_STORE file allowed the researchers to easily see the contents of the server folder, which included an SQL database, a
    configuration file, and a database dump file. The researchers also found that both the SQL database and the dump file, contained WordPress database dumps that stored numerous admin login credentials, and the hashed admin password for Microsoft Vancouvers WordPress website. Microsoft slow to respond

    The password itself was hashed with MD5, which CyberNews says has long been known as one of the least secure hashing algorithms, especially for
    passwords. A skilled malicious actor would make quick work of such passwords and would be moving through the WordPress site as an administrator in no
    time.

    To make matters worse, it took weeks for CyberNews to get a response from Microsoft, and since taking notice, the company took almost a month to fix
    the issue. The researchers said they were forced to nudge Microsoft over official contact emails, phone numbers, as well as customer support emails, just to be noticed.

    Still, the issue seems to have been resolved.

    Microsoft Vancouver is the companys office in which different teams work on products such as Notes, MSN, Skype, the Gears of War game, as well as
    multiple mixed reality applications for both desktop and HoloLens. Here's our list of the best antivirus software right now



    ======================================================================
    Link to news story: https://www.techradar.com/news/microsoft-error-could-open-the-door-to-the-most -damaging-phishing-scam-to-date/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)