Intego's researchers have discovered an interesting issue related to .DS_Store files and web servers that, in some cases, may lead to security issues. .DS_Store (Desktop Services Store) files are invisible files created by Mac OS X that contain preferences for the display of individual folders on a Mac. They tell the Finder how to display icons (their size and position), whether there is a background color in a folder window, and other information. The Finder creates a .DS_Store for every folder that is opened on a Mac, including remote folders or folders on removable media.
.DS_Store files can also contain data about other files in their folders. For example, a .DS_Store file may contain the names of files that are in its folder, and reading a .DS_Store file can therefore give information about the contents of a folder.
This isn't a problem on a Mac, but it could be a problem on a web server. Intego's researchers have found that many .DS_Store files are actually indexed by Google, and that by downloading them, and reading their contents, it can be possible to get a listing of some or all of the files contained in a web directory.
(This was a known issue on Mac OS X, and it no longer affects Apache running on Mac OS X or Mac OS X Server; Apple set up rules in a 2004 security update that prevent access to .DS_Store files on these operating systems.)
But how do .DS_Store files get on a web server? This can happen in several ways:
- A user copies an entire folder of files to a web server via FTP. In this case, the .DS_Store file contained in that folder (or multiple .DS_Store files contained in sub-folders) gets copied to the web server. (Note that some FTP clients do not copy .DS_Store files by default.)
- A user copies the entire contents of a folder via FTP to a web server by selecting all the files in a folder. In normal usage, the .DS_Store file will not be copied, but, if invisible files are displayed in the user's FTP client, and the user simply selects all files in the folder and copies them to the web server directory, the .DS_Store file - and any other invisible file - will be copied to the server.
- A user mounts a network share in the Finder, and copies files to it. The simple act of mounting the share and displaying a folder in the Finder creates the .DS_Store file.
Here's why .DS_Store files can be a security issue. In a test we did, we put two files in a folder: My Secret Files.dmg and My Top Secret Product picture.png. We copied that folder to a web server, and loaded the .DS_Store file in Safari. Here's what we see:
Anyone who stumbles on that .DS_Store file can therefore see some or all of the contents of the folder, even if the items in that folder are not directly linked to a web page. In the above example, anyone could then copy the .dmg and .png files easily, by simply loading the URLs of the files.
In some cases, .DS_Store files are indexed by Google, and searching for the right text strings will turn up thousands of them. But in other cases, enterprising hackers who suspect that Mac users may have copied files to web servers may spend their time trying out different web directories with /.DS_Store to see what turns up. (Obviously, they could automate this with a script, and effectively spider entire web sites in a few seconds.) While this certainly doesn't allow a hacker to break into a web site, it may allow them to find files that are not meant for public consumption.
Some people use web servers for exchanging files: they'll give a URL to a colleague or partner to allow them to access specific material. If the web directories are not password-protected, and they contain .DS_Store files, they could be exposing potentially sensitive information to possible discovery. While not a critical issue, this should make web site managers rethink how they use their web sites. At a minimum, it is a good idea to ensure that .DS_Store files are not copied. But to be safe, any folders used to exchange important files should be password-protected.
One more point: this weakness also affects Macs in shared environments. If a network has a shared folder which contains sub-folders with permissions for specific users, any user who can access the main folder will be able to access the .DS_Store file, and will see what folders are there (which they might not be able to see otherwise). This can have a number of consequences, since it is possible to see information that should otherwise not be visible.