|Google.es with DS_Store available on their servers|
Thanks to FaasT, we found lots of .DS_Store files inside the search engine server. A DS_Store file may have internal paths inside, from the system of the user manipulating the web, dates, and new URLs that may be helpful for going further with the pentest.
|Example of how internal information inside in a DS_store file is shown with FaasT interface|
When analyzing Google .DS_Store files, we got the following information:
- More than 40 new paths, storing data about Google GSA (Google Search Appliance) where the infrastructure, API documentation, or configuration was detailed.
- More than 30 new PDF documents, not all of them publicly available.
- Some other .DS_Store files.
- Some other HTML resources.
Once Google was informed, the files were quickly removed and placed us in its Hall of Fame as a recognition for the little help improving their security.
|Sensitive information in tw.adspecs.yahoo.com|
|More sensitive information in tw.adspecs.yahoo.com|
Fundamentally, there were two URLs.
- ssh user for svn.corp.yahoo.com (martinso)
- svn user: (martinso)
- an internal domain: svn.corp.yahoo.com
- internal path: /yahoo/adtech/asia/apac/adspecs/tc/adspec_ppt/tw_chi