Full Report
The Cybernews research team discovered DepositFiles’ publicly hosted environment configuration (config) file, which exposed:
Analysis Summary
# Vulnerability: Publicly Exposed DepositFiles Environment Configuration File
## CVE Details
- **CVE ID:** Not Assigned (This is an infrastructure misconfiguration/data exposure, not a formal software vulnerability with an assigned CVE)
- **CVSS Score:** Not Applicable (As this is a specific infrastructure misconfiguration/leak of credentials)
- **CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- **Products:** DepositFiles (Specific internal infrastructure components hosting the configuration)
- **Versions:** Not applicable (Issue relates to configuration management, not software versioning)
- **Configurations:** Publicly accessible environment configuration file containing credentials for various internal services.
## Vulnerability Description
The Cybernews research team discovered that DepositFiles hosted an environment configuration file publicly accessible on the internet. This file contained sensitive credentials and keys for multiple critical internal services, including:
* Redis database credentials (for "Billing" and "uploads" databases).
* Credentials for Abuse and Support mail services.
* Payment wall secret key.
* Social media API credentials (Twitter, Facebook, VKontakte).
* Google App ID and Secret.
* Payment service credentials (password, username, endpoint).
* Application IDs and salts for DF Android, DF iOS, PHP unit client, and DF VPN apps.
## Exploitation
- **Status:** Potential exploitation exists due to exposed credentials. (Not explicitly stated as exploited in the wild, but credentials were public).
- **Complexity:** Low (Direct access to configuration file grants immediate access to credentials).
- **Attack Vector:** Network (Remote access to the publicly hosted file).
## Impact
- **Confidentiality:** High (Exposure of database credentials, application secrets, and user-related service keys).
- **Integrity:** High (Potential to manipulate billing/upload databases, impersonate services, or alter payment processes).
- **Availability:** Medium (Compromise of underlying infrastructure could lead to service disruption if credentials are used for unauthorized administrative access).
## Remediation
### Patches
- Since this is a configuration management issue, no traditional software patch is available. The immediate remediation is removing public access to the configuration file and cycling all exposed secrets.
### Workarounds
- Immediately revoke and regenerate all credentials and secrets exposed in the configuration file (Redis passwords, payment keys, API secrets, etc.).
- Ensure proper access controls (e.g., .htaccess, IAM policies) are in place to prevent public exposure of sensitive configuration files.
## Detection
- **Indicators of Compromise:** Unauthorized connection attempts or activity originating from unknown IP addresses to Redis instances, payment processors, or associated cloud services referencing the exposed credentials.
- **Detection methods and tools:** File integrity monitoring on configuration directories. Network monitoring for unrecognized traffic patterns targeting database endpoints. Auditing cloud storage/hosting permissions for accidental public exposure.
## References
- Vendor advisories: None specified in detail.
- Relevant links - defanged: hxxps://cybernews[.]com/security/deposit-files-data-leak/