Fox News Web site over the weekend exposed a password that granted inappropriate access to images from its news stories and to a headline feed from its content syndication partner and eWEEK publisher, Ziff Davis Media.
The file directory exposure was regrettable, Fox News told eWEEK, but it was far less dramatic than the sensational data breach stories that have popped up since July 23.
Bloggers and news reports erroneously said the Fox News/Ziff Davis incident led to the exposure of sensitive information—names, phone numbers, e-mail addresses—of “at least 1.5 million people” on an FTP server.
What it boils down to is that indexing for a particular file that contains all of Fox News images was left open, allowing people to see the images—which are the same images viewable on the site and which Fox News attaches to stories, Jeff Misenti, general manager and vice president of Fox News Digital, told eWEEK in an interview.
Also exposed was information for some of Fox News content providers—in this case, Ziff Davis. Fox News pulls in headlines from such partners to display on its site, as its done here on the technology portion of its site.
“Another case of scattered files, no intrusion detection and sleeping sys administrators,” van den Heetkamp wrote.
“This hole has been open all day, has been digged some thousand times now and no one at Fox seems to notice. At least we dont sleep. … They made some errors, that could have been avoided with a clever and well thought security policy,” he wrote, and went on to suggest ways to tie down the “gaping hole” that led to what he called “sensitive files.”
The supposedly sensitive files were, in fact, a password to transmit to Ziff Davis syndication server in order to pull in content.
As far as the 1.5 million people whose personal information was allegedly exposed, Misenti said he doesnt have a clue where that false claim came from.
“On the Ziff Davis side its a push server,” he told eWEEK. “They push headlines that we put onto our servers. It doesnt work the other way; you cant push information back.”
In other words, Ziff Davis servers were not breached. Rather, pranksters were able to intercept the syndication servers feed and put up mirror sites that contained Ziff Davis stories and Fox News images.
They were then able to deface those mirror sites to make it look as if Ziff Davis and/or Fox News servers had been compromised. An internal IT staffer at Ziff Davis who requested anonymity said that the one detail of defacement he knew of was a folder on a mirror site that had been named “homoporn.”
Greg Barton, from Ziff Davis legal department, said the company is still investigating the incident and has no comment at this time.
The exposed FTP password enabled the hack, but “at no point [were you able to] talk back to our FTP” server, Misenti of Fox News Digital said. In other words, attackers could read files—nonsensitive files that were bound for public viewing anyway—but couldnt tamper with any files on the server.
“The worst case is [an attacker sees] that, the headlines are there, great, … I want to see the FTP [server] and see these headlines, which is what we do” with syndicated stories anyway, he said.
Fox News has since changed passwords and the directory setup so that its directory folders arent viewable externally. The issue was noticed on July 23 around 7:45 a.m. EST; the indexing was addressed by 8:39 a.m. and was cleared from the Akamai cache by 11 a.m. on that same day, Misenti said.
In spite of the incident getting blown out of proportion, its still not a good thing that external viewers had access to Fox News image directory, however, Misenti said.
“Do you want people to see your file structure? No. But are you exposing information? No,” Misenti said. “Everything out there [such as user information supposedly captured from Fox News], all that stuff, theres no place where you see that.”
In fact, posters on van den Heetkamps blogs were pondering whether the 1.5 million exposed user names was just the ghost of a story from a 2003 breach.
“Wasnt the data leak of 1.5 million people in 2003, or did it happen again?” pondered a poster named Paul N.
How the password got there in the first place is within the context of a script that instructs the server to go to a location, authenticate it and retrieve headlines. Pranksters were able to read the script and untangle a user name and password out of the script.
Its not uncommon. FTP passwords are lying around “all over the place,” said the Ziff Davis IT staffer who requested anonymity.
On July 23, Fox News changed the password and the script setup so that user names are no longer viewable to anybody except internal developers.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.