In our previous blogs to this open directory series, we talked about what open directories are and why they pose a risk, and how we set up our own research into the extent of the issue. That also featured a sneak peek into the results. Now that we have presented the findings in our webinar, this article will cover the statistics and most striking examples. And most importantly: what are our conclusions and tips to make your own directories data leak free?
Just to recap: a directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. It could be that this feature is turned on as standard, in which case you’d explicitly have to turn it off. Misconfigurations of the directory listing are a risk too, as well as going for the ‘security through obscurity’ approach. Having no direct link visible doesn’t automatically mean the directory can’t be found otherwise.
A few statistics
This was proven in our research as well. We ran scans for open directories for roughly two months, after which we found 475,542 open directories with an estimated total number of files well over the 10 million. We have seen different shipping records, invoices, data dumps, data backups, employee listings (including data privilege levels), and much more.
Figure 1. Top 10 countries with open directories
As shown in Figure 1 here, we found the most open directories in the US. That’s because most web services are running and are hosted in the US. The rest of the countries have considerable data hosting as well.
Another interesting finding was the sort of open ports with open directories, as shown in figure 2. Naturally, ports 80 and 443 ranked high. But it turns out people configure a custom port 666 for open directories as well, ranking as best of the rest.
Figure 2. Top 10 open ports with open directories
One other statistic is telling about the type of products people use for the open directories. As is seen in figure 3, Apache is by far the most popular. Out of a total of 475,542 open directories, 80.7% was created using Apache.
Figure 2. Top 10 used products for open directories
Now, how can you see open directories ‘in the wild’, while not actually looking for them yourselves? During the webinar, Soufian showed two examples of open directories he came across while on holiday just the week before. In example 1, the left photo is taken at Roma Airport, and the second at Pisa train station. The latter shows the directories of camera recordings, and it’s visible they use Apache for that as well.
Example 1. Photos of open directories visible in public spaces
We found several data exports people created to generate .CSV or .XLSX files, most likely for information storing or sharing. However, such files can contain a lot of confidential information, as is seen in example 2 below. The file contains over 24,000 shipping records, featuring the full name, home address, email address, phone number, shipping information, and more. Should such a file get leaked, it’s a serious incident.
Example 2. Exposed shipping information.
Another example of a data export we found, is a complete list of taxi records. Is shows all the different drives a French company has made, who was in the taxi, where they got in, what the destination was, the taxi fare, and more. This kind of file could be used to track down a person’s visited places or even their home address.
Example 3. Exposed taxi fare information.
One final example, and maybe the most critical here, is a list we came across belonging to the US government. It contains over 7,000 records with the full names and ranks of US police officers and fire fighters, their departments, yearly earnings, and more.
Example 4. US governmental officers information
Finally, we want to highlight the .SQL type directories we found. In total, there were 1,367 SQL database dumps. Vincent explained that it could be people use these files as backups, usually containing sensitive information.
In the example below, it was actually difficult not to blur any of the text because of the data confidentiality. It is a file with information of people’s first and last names, usernames, passwords, emails, whether or not they are staff, if they are superuser, their first and last login dates, and much more. This would give a threat actor a lot of information to gain access to the company’s data via easy privilege escalation.
Example 5. Full user information data dump
Soufian and Vincent talked about many more examples and exposed data files during the webinar. Vincent concluded by stating we found both technical sensitive information, as well as personal sensitive information. Both can be used by threat actors to attack the particular companies or the people they serve, which could lead to considerable GDPR fines, especially for the Personal Identifiable Information available.
So, what are the lessons learnt from the research, and what can you do to prevent a data leak through an open directory?
- First of all: always disable directory listings, especially if there is no critical need to serve those type of files. Most of the files we encountered really didn’t need to be accessible to everyone.
- Never rely on obfuscated URLs for security. Even when there is no direct path to a part of your website, it could still be indexed and found.
- Path your webservers. Though it’s common practice, there could still be minor findings without a high CVE score that could lead to serious data leaks this way. So always patch everything you can on your web servers.
- Always monitor for open directories and open cloud storage. And not just in the infrastructure you control, but also in your shadow IT and (external) business IT, as these could be prone to a lack of webserver hardening.
In the final Q&A of the webinar, Soufian shared his insights on the possibility of automatic detection of open directories, and how to determine whether or not an open directory is open by accident, or whether it’s supposed to be open and starting a vulnerability disclosure wouldn’t be necessary.
For more insights into our complete research and the ways you can minimise the risk of open directories, watch the on-demand webinar by clicking the button below.