Contact us
Request demo →
Contact us
German website
search
close

Open directories: our research findings

by Cybersprint Analyst Report 3 Dec 2021

In our previous blogs to this open directory series, we talked about what open directories are and why they pose a risk, and how we set up our own research into the extent of the issue. That also featured a sneak peek into the results. Now that we have presented the findings in our webinar, this article will cover the statistics and most striking examples. And most importantly: what are our conclusions and tips to make your own directories data leak free?

Just to recap: a directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. It could be that this feature is turned on as standard, in which case you’d explicitly have to turn it off. Misconfigurations of the directory listing are a risk too, as well as going for the ‘security through obscurity’ approach. Having no direct link visible doesn’t automatically mean the directory can’t be found otherwise.

A few statistics

This was proven in our research as well. We ran scans for open directories for roughly two months, after which we found 475,542 open directories with an estimated total number of files well over the 10 million. We have seen different shipping records, invoices, data dumps, data backups, employee listings (including data privilege levels), and much more.

top 10 countries with open directories
Figure 1. Top 10 countries with open directories

As shown in Figure 1 here, we found the most open directories in the US. That’s because most web services are running and are hosted in the US. The rest of the countries have considerable data hosting as well.

Another interesting finding was the sort of open ports with open directories, as shown in figure 2. Naturally, ports 80 and 443 ranked high. But it turns out people configure a custom port 666 for open directories as well, ranking as best of the rest.

top 10 open ports with open directories
Figure 2. Top 10 open ports with open directories

One other statistic is telling about the type of products people use for the open directories. As is seen in figure 3, Apache is by far the most popular. Out of a total of 475,542 open directories, 80.7% was created using Apache.

open directories apache
Figure 2. Top 10 used products for open directories

Highlighted results

Now, how can you see open directories ‘in the wild’, while not actually looking for them yourselves? During the webinar, Soufian showed two examples of open directories he came across while on holiday just the week before. In example 1, the left photo is taken at Roma Airport, and the second at Pisa train station. The latter shows the directories of camera recordings, and it’s visible they use Apache for that as well.

photos open directories public transport
Example 1. Photos of open directories visible in public spaces

Export data

We found several data exports people created to generate .CSV or .XLSX files, most likely for information storing or sharing. However, such files can contain a lot of confidential information, as is seen in example 2 below. The file contains over 24,000 shipping records, featuring the full name, home address, email address, phone number, shipping information, and more. Should such a file get leaked, it’s a serious incident.

data export - shipping records
Example 2. Exposed shipping information.

Another example of a data export we found, is a complete list of taxi records. Is shows all the different drives a French company has made, who was in the taxi, where they got in, what the destination was, the taxi fare, and more. This kind of file could be used to track down a person’s visited places or even their home address.

data export - taxi fairs
Example 3. Exposed taxi fare information. 

One final example, and maybe the most critical here, is a list we came across belonging to the US government. It contains over 7,000 records with the full names and ranks of US police officers and fire fighters, their departments, yearly earnings, and more. 

Example US officers
Example 4. US governmental officers information

SQL DUMPS

Finally, we want to highlight the .SQL type directories we found. In total, there were 1,367 SQL database dumps. Vincent explained that it could be people use these files as backups, usually containing sensitive information.

In the example below, it was actually difficult not to blur any of the text because of the data confidentiality. It is a file with information of people’s first and last names, usernames, passwords, emails, whether or not they are staff, if they are superuser, their first and last login dates, and much more. This would give a threat actor a lot of information to gain access to the company’s data via easy privilege escalation.

open directories - sql database dumpExample 5. Full user information data dump

Conclusion

Soufian and Vincent talked about many more examples and exposed data files during the webinar. Vincent concluded by stating we found both technical sensitive information, as well as personal sensitive information. Both can be used by threat actors to attack the particular companies or the people they serve, which could lead to considerable GDPR fines, especially for the Personal Identifiable Information available.

So, what are the lessons learnt from the research, and what can you do to prevent a data leak through an open directory?

  • First of all: always disable directory listings, especially if there is no critical need to serve those type of files. Most of the files we encountered really didn’t need to be accessible to everyone.
  • Never rely on obfuscated URLs for security. Even when there is no direct path to a part of your website, it could still be indexed and found.
  • Path your webservers. Though it’s common practice, there could still be minor findings without a high CVE score that could lead to serious data leaks this way. So always patch everything you can on your web servers.
  • Always monitor for open directories and open cloud storage. And not just in the infrastructure you control, but also in your shadow IT and (external) business IT, as these could be prone to a lack of webserver hardening.

In the final Q&A of the webinar, Soufian shared his insights on the possibility of automatic detection of open directories, and how to determine whether or not an open directory is open by accident, or whether it’s supposed to be open and starting a vulnerability disclosure wouldn’t be necessary.

For more insights into our complete research and the ways you can minimise the risk of open directories, watch the on-demand webinar by clicking the button below.

Watch the webinar >>

Open directories: our research findings

In our previous blogs to this open directory series, we talked about what open directories are and why they pose a risk, and how we set up our own research into the extent of the issue. That also featured a sneak peek into the results. Now that we have presented the findings in our webinar, this article will cover the statistics and most striking examples. And most importantly: what are our conclusions and tips to make your own directories data leak free?

read more

Open Directories: A Peek Into Our Research

In our previous blog, we explained what open directories are and how they can result in a data leak. As mentioned there, we conducted research into the risks of open directories ourselves, to see the extent of the problem. We’ll go into the method and preliminary results of that research here, while leaving the most telling examples and conclusions for our webinar on Wednesday 1 December.

read more

Editorial: 6 steps to achieving zero shadow IT

Shadow IT has long been a problem for organisations. Formal IT is routed through the IT department, where it’s approved, purchased, set up, and, importantly, supported and maintained. Shadow IT falls outside this process, and is normally split into two categories: / Systems that the IT department doesn’t know about. / Systems the IT department knows about but needs to keep running as they are integral to business operations. The second category is the real Shadow IT and the biggest problem for businesses. So how can you protect your business from the perils of shadow IT? Here are Pieter's six steps.

read more

Do you have a question?

Our experts have the answers

Contact us