Depositfiles, an extremely popular storage and exchange of files in the 2010s, accidentally left its configuration file available to everyone, revealing a whole arsenal of secret accounting data.
A team of researchers from Cybernews found that the Depositfiles configuration file, which contains important settings for launching a software Provision and various services was posted in the public domain. And the configuration file itself contained the following information:
- Accounting data databases Redis;
- The accounting data of the database “Billing” and “Uploads”;
- Accounting data for complaints and support;
- Secret key Payment Wall;
- Considerable data from the Twitter, Facebook and VK platforms;
- Google App ID and Secret;
- Considerable data of the payment service;
- Data from the hosting mobile applications accounts.
“Potential attacks against service and its users may have serious consequences. Depositfiles clients risk losing their personal information, files, and passwords. And attackers can now easily attack the company using malware or unauthorized access to payment systems,” the researchers say.
According to Cybernews, the configuration file has been available since February 2023. Depositfiles corrected the problem shortly after the team contacted them. However, the company did not publicly comment on the identified error. Who knows, maybe Cybernews researchers were not the first to identify the configuration file.
In addition to the fact that configuration files usually contain the values and settings necessary for the system in a certain environment, in the case of depositfiles, there was also other highly sensitive information.
In the wrong hands, the disclosed data can jeopardize the confidentiality of users of depositfiles and the company itself. According to the researchers, the file was enough for attackers to carry out attacks such as denial of service (DDoS), spread extortion software, or cause financial losses.
This incident serves as a good reminder that any cloud, no matter how well-known and reliable it is, is just someone else’s computer, also at risk of hacker intervention, like your own devices.