Sharing is caring, perhaps – but when it comes to your website’s files and directories, it’s not a good idea, as Denuvo found out this week.
A few curious surfers found out that Denuvo, which makes digital rights management (DRM) software to prevent video game piracy, hadn’t locked down all their website’s directories from public view and prodding. That means the website’s private directories and all their files were open for snooping around.
This may not sound like a big deal, but it’s akin to handing over the casino blueprints to the crew of Ocean’s Eleven. The more an attacker knows about how your website is set up and where files are stored, the easier it is for them to find out where sensitive files are held and discover exactly what kind of software runs your website. That kind of detail makes it easier for an attacker to determine what kind of vulnerabilities your site’s software is likely to have, helping them to devise a focused – and likely more successful – attack.
Right now, it doesn’t look like the company’s intellectual property has been put at risk by this mistake, but some harm has already been done by the unintended exposure, and many people are still poking around to see what they can find.
Thus far, snoopers have found that one of the open private directories contains large executable files, proprietary business presentations, as well as logs of private business emails with Capcom and Google and customer support emails going back to 2014. Still, for a company that deals in something that’s controversial among some video game consumers, this kind of exposure is unfortunately being met with some schadenfreude by those who wish DRM would go away.
These kinds of incidents aren’t rare, unfortunately. Just last month, a sex club made a similar mistake, exposing thousands of its members – and their personal data and private profiles – to the open internet.
We’re not exactly sure how this incident happened, but there is a likely theory. From the leaked images of the open directories, it appears that the Denuvo website runs on an Apache web server, and if Apache is not correctly configured some directories can be accidentally left open for public access.
If Apache was correctly configured, there’s also the possibility that the site was using an .htaccess file, which is a kind of configuration file that can overwrite locally the server’s general settings, and it was either not set up correctly or forgotten after some site changes.
Given that, by some approximations, Apache software runs about half the publicly accessible websites on the internet, there’s ample opportunity for Apache misconfigurations to rear their ugly heads.
Basic website security tips
If you run your own website, there’s a long list of settings to check for your site’s security, but if you’re looking for a place to start, here are a few recommendations:
- Don’t allow open directories (to prevent the situation referenced above!)
- Never use default passwords, and don’t use easy/non-unique passwords for any administrative panels or logins for website maintenance
- Change any “admin” usernames to something unique
- Keep your website’s software patched and up-to-date
- Protect your website’s inputs – like search boxes and comment areas – from SQL injection attacks
- Use HTTPS and SSL, especially if your users are logging in to anything or giving you any kind of personal or financial information