What happened After I Scanned 2.6 Million Domains for Exposed .DS_Store Files

The story continues!

After scanning for public .git directories and exposed .env files. I scanned the dataset of 2.6 million domains for exposed .DS_Store files. I found 8'462 exposed .DS_Store files. From these files, I extracted 19'266 unique folder and file names. About 40% of these files are accessible. 10 database dumps with usernames and passwords, config files, ssl certificates and “pseudo-hidden” admin panels were exposed.

TLDR: Watch out for mistakes in the deployment process. Never expose your hidden .DS_Store file to the public.

What are .DS_Store files?

.DS_Store files are hidden files, which are automatically created by the Finder (file browser of Apple macOS, formerly OS X). These files are hidden in the file system and are not shown in the Finder. DS_Store stands for Desktop Service Store. In this file settings for folder view, icon positions, etc. are stored. On Windows operating systems, the .DS_Store file can be compared with the also hidden desktop.ini file. In each folder, you will find a hidden .DS_Store file.

The .DS_Store file can also list the contents of the folder (file or folder names). .DS_Store files are binary files and cannot be read directly by humans. However, there are tools that can extract the data they contain. (Shoutout to @gehaxelt who built this awesome tool to extract the data from a .DS_Store file: https://github.com/gehaxelt/Python-dsstore).

How data got leaked through .DS_Store files?

If such .DS_Store files are copied to a web server, they can be downloaded and analyzed. Through the file and folder names in the .DS_Store file, folders, or files that are not intended for the public can be revealed.

The .DS_Store file can be easily accessed. For example https://example.com/.DS_Store
If you ignore invalid SSL certificates you will find a lot more.

Most of the time, the hidden files are automatically uploaded to the web server by the tool used to develop and deploy the website.

A prominent example: Microsoft Vancouver

In the fall of 2021, CyberNews security researchers found a .DS_Store file on a Microsoft Vancouver web server. Based on the contents of this file, database dumps could be downloaded from the server. These database dumps contained usernames, email addresses, and password hashes of various employees.

How can check if my domain is affected?

You can scan your domains and subdomains with a nuclei template or you can use a service like scan.nan.io to check your domains and subdomains automatically for exposed sensitive files.

Take away: Check your server and deployment to not expose the hidden .DS_Store file.