Software, technology, sysadmin war stories, and more. Feed
Thursday, May 10, 2012

Be careful with those test files on web servers

I witnessed an interesting corporate security issue a couple of years ago. In the web hosting business, you frequently need test files. People set up streaming servers and you park test videos on them to make sure everything's okay (without looking at their content -- ugh).

In this case, some customer's machine was apparently having problems serving up PDFs in such a way that they would be handled properly by clients. They were either being downloaded when they wanted things to open with a handler or vice-versa. In any case, the tech who wound up working it needed to run some tests.

This person apparently grabbed the first file with a PDF extension they found on their local workstation. It had been mailed out as an attachment to the entire company, and it was a list of everyone in the building, their extensions, and all of the helpful shortcuts we used to reach our remote sites without getting stuck in their phone trees.

They parked that file on the customer's machine and proceeded to test the web server with it. I'm not sure if they forgot or got distracted or what, but they left the file there. Time passed.

Then, one day a few weeks later, I got an instant message from one of my friends elsewhere in the company: "run a search for '(site name) employee directory' on Google". I did, and was rewarded with a shiny new copy of our directory courtesy of our customer's machine as the #1 hit.

We had a good laugh, but some other people in the company weren't so amused. They were able to take down the offending file, but then we just pointed out that "view cache" was still there, and all of the data was visible. They freaked out a second time and somehow got the cached data taken down, perhaps by making a request directly to Google.

The drama was over, but we all still had a good laugh at it. If you put something online, expect people to find it sooner or later. They will find a way, even if by accident.