Comments
Big Oops: FoxNews.com FTP Login Leaked
Written By Mike on Jul. 23, 2007.
10 Comments
Report Note
+ Clip This
Talk about the worst possible way to be caught with your pants down. Early this morning over at a Digg posting the original author found that Fox News had left their directories open and viewable, so the original Digg URL was linked to the root_images directory on their servers. Thousands of images used on the site, lots of fun stuff to look at, but nothing really terrible. Right?
After discovering this server flaw, some intrepid Digg users started typing in random directory names to see if they too were not locked down, and they found that an admin directory was also left open, containing dozens of folders. Once this was posted another Digg user was surfing through Fox News uncharted server territory and discovered a shell script meant to automate file transfers, and inside that text file (not going to link for moral/legal reasons) there was the Fox News web server FTP login in plaintext.
Luckily for Fox News the login information was only for a read-only account so their site wasn't immediately messed with, but the following files that were located on the server needn't be edited nor deleted in order to grasp the magnitude of this problem for Fox News:
- Akamai, IIS, Apache log and traffic files including raw stats for all pages on the site, IP addresses of all visitors.
- Comma-separated lists of harvested email addresses at over 70MB per file, if you guessed "millions" as the number leaked, you'd be right.
- Stored SQL queries for interacting with ZiffDavis content management system.
- Gigantic XML data files containing archived, full versions of nearly all ZiffDavis publications for print and web.
Absolutely astounding. I don't even know where to begin when talking about the magnitude of this leak and what this could do to Fox News. This is their entire FTP web server so sensitive and potentially damaging information could be published to the internet in the next few hours or days, who knows. And you know some Digg user with a monster storage system already wrote a script to download their entire server, so changing the password now for Fox News would be a moot point.
karmatosed
Written Jul. 23, 2007 / Report /
The mind boggles. I guess we all 'think' the larger companies would employ people who would actually not let this happen. Sad fact really.
peroty
Written Jul. 23, 2007 / Report /
Wow... just.. wow.
danoph
Written Jul. 23, 2007 / Report /
i got a look at one of the files with all the personal data before they took it down. There was a file that was 3 gigabytes worth of personal data!
peroty
Written Jul. 23, 2007 / Report /
Some find examples of LOLnews from Reddit.
I'd offer comment, but the Reddities have covered those bases far better than I ever could.
My favorite being the first one, "Apparently they exclusively recruit Fark Photoshop contest winners."
mndoci
Written Jul. 23, 2007 / Report /
Yikes!!!!
malitic
Written Jul. 23, 2007 / Report /
Oh this begs so many one liners...
seanrox
Written Jul. 23, 2007 / Report /
and there shall be blood in the streets tonight!
rumor has it that Fox will be hiring for a new web and server admin too ;)
eston
Written Jul. 23, 2007 / Report /
Wow. That's enormously bad.
It'll be interesting to see what people actually find through that data, though, as this may also be a litmus test to the news source's supposed neutrality. If any PSDs or tracked changes were in that data and aren't entirely kosher, something extremely serious may come of this.
estarla
Written Jul. 23, 2007 / Report /
For once, I'm actually going to be interested in the headlines regarding Fox News in the near future... ;)
LorriM
Written Jul. 23, 2007 / Report /
How incredible!