Sensitive Information Leak via Forgotten .DS_Store File on redacted.com

I’m ADANDE Tobi Roland, also known as “Roland Hack,” and I’m 18 years old. As an active member of the Balgo Security team, I’m passionate about cybersecurity and have discovered my passion for finding vulnerabilities in websites. I devote a great deal of my free time to exploring the nooks and crannies of the IT security world, notably by actively participating in bug bounty. The perpetual quest for technical challenges and the desire to improve online security are what drive me. I’m delighted to share this experience of a vulnerability discovered on a private bug bounty program on HackerOne.

Vulnerability discovery:

During my enumeration process on the site in question, I spotted a file with the name .DS_Store. Initially, the data contained in this file seemed unreadable when I ran the strings command. However, the situation took a turn when I remembered encountering a similar file during a CTF (Capture The Flag) at a Forensics challenge. My intuition prompted me to explore this file further, as I wondered whether it might contain sensitive information.

After a discussion with a friend who is also part of my team, he informed me that the .DS_Store file is indeed sensitive and may contain valuable data. It was then that I realized there was more to explore. I began searching for a suitable script that would allow me to extract the information inside the .DS_Store file.

After extracting data from the .DS_Store file using a script available at this link : https://github.com/gehaxelt/Python-dsstore

I was confronted with a multitude of directory and file names. Contrary to my expectations, this extracted data was readable as soon as it was extracted.

In the course of a meticulous investigation, I examined these files and directories one by one, hoping to unearth some sensitive information. After a long search with no significant results, I finally got my hands on a file named gitpull.bash. Its contents immediately raised concerns due to the presence of sensitive information, including :

The Sucuri WAF API key
SSH session names and IP addresses
Internal paths

This sensitive information revealed a major security risk, as the Sucuri WAF API key gave access to actions such as :

Clear cache
curl ‘https://waf.sucuri.net/api?v2' — data ‘k=YOUR_KEY’ — data ‘s=YOUR_SECRET’ — data ‘a=clear_cache’
Block an IP address
curl ‘https://waf.sucuri.net/api?v2' — data ‘k=YOUR_KEY’ — data ‘s=YOUR_SECRET’ — data ‘a=block_ip’ — data ‘ip=1.2.3.4’
Unblock an IP address
curl ‘https://waf.sucuri.net/api?v2' — data ‘k=YOUR_KEY’ — data ‘s=YOUR_SECRET’ — data ‘a=unblock_ip’ — data ‘ip=1.2.3.4’
View blocked IP addresses
curl ‘https://waf.sucuri.net/api?v2' — data ‘k=YOUR_KEY’ — data ‘s=YOUR_SECRET’ — data ‘a=blocked_ips’
Disable WAF
curl ‘https://waf.sucuri.net/api?v2' — data ‘k=YOUR_KEY’ — data ‘s=YOUR_SECRET’ — data ‘a=disable_waf’

Clearing the site cache

It is important to note that this discovery is not an isolated case. It highlights an often overlooked aspect of online security: .DS_Store files. These files, generated by the macOS operating system, can contain sensitive information that often goes unnoticed.

My main motivation for writing this report is to make the security research community aware of the potential threat posed by .DS_Store files. All too often, these files are ignored or underestimated, yet they can contain information vital to the security of online systems.

I encourage you to be alert to the presence of .DS_Store files during your vulnerability testing, and to explore their contents responsibly and ethically. The vulnerability I discovered is a reminder that even seemingly innocuous items can reveal significant security flaws.

By sharing this experience, I hope to help strengthen the vigilance of the security research community and reduce the potential risks associated with these often overlooked files.

Positive feedback from the program:

After submitting my vulnerability report to the bug bounty program, I’m delighted to share that I received extremely positive feedback. The program team was amazed by the quality and relevance of my report. What’s more, they recognized the importance of the vulnerability I discovered and took immediate action to correct it.

In recognition of the vulnerability I discovered and reported to the bug bounty program, I received a generous reward in the amount of $500

I hope you found this report useful. Please feel free to leave me your comments.

Twitter: https://twitter.com/RolandHack6

Linkedin : https://www.linkedin.com/in/roland-hack/