servers exposed via misconfiguration

Pierluigi Paganini October 09, 2021

CyberNews researchers found an exposed configuration file hosted on a subdomain containing production data.

Original post @

CyberNews researchers found an exposed configuration file hosted on a subdomain, containing what appear to be production-level database access credentials, as well as addresses to development endpoints.

Sky, a subsidiary of Comcast, is Europe’s largest media company, boasting a 12% market share and a revenue of approximately £13.4 billion in 2020, as well as more than 31,000 employees and 24 million customers. UpLift Media, launched by Sky and Molson Coors in 2015, is an in-venue digital screen advertising network that operates digital screens in bars and other leisure venues across the UK.

During a threat intelligence gathering operation, our Investigations team came across an exposed configuration file that included plain text access credentials to multiple databases on a domain hosted by the Sky media conglomerate.

The configuration file, first indexed on an IoT search engine on September 7, appears to be the main configuration file of the application hosted on the ‘upliftmedia’ subdomain of, and includes plain text access credentials to databases hosted on the domain.

The IoT search engine that indexed the file enforces a ‘grace period’ of 30 days, during which the indexed leaks are only visible to ‘trusted users and researchers.’ This is presumably intended to help security researchers vetted by the search engine’s staff to secure the exposed devices and files indexed on the service.

Now, however, the URL to the exposed configuration file became publicly visible to anyone with a free search engine account, which might include malicious actors.

After we reported the issue to Sky on October 8, a company representative informed CyberNews that Sky has “taken action to address the issue.” Access to the configuration file has now been disabled.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

What’s in the configuration file?

The unsecured configuration file appeared to contain, among other things:

  • Production-level access credentials (including passwords in plain text) to databases hosted on the subdomain, from localhost (development branch) to Windows Server (production branch).
  • IP addresses and domain names that lead to development endpoints – specialized environments used by developers for testing and iteration.

Example of exposed database access credentials:

Note: Our researchers did not access any unsecured databases due to the potential ethical implications of accessing private databases without authorization.

Who had access?

While it’s unclear if any malicious actors or security researchers have accessed the configuration file before it was secured by Sky, the file itself was presumably indexed by the IoT search engine for at least 30 days prior to its publication.

Anyone who knew where to look could have accessed the data during that period and abused the authentication credentials found in the configuration file.

What’s the impact?

Without having accessed the databases themselves, it would be difficult to calculate the impact of this leak on Sky, UpLift Media, or their customers.

There’s no way to tell what data is being stored on the production server. With that said, exposed configuration files can serve as quick infiltration shortcuts for ransomware groups that could take a company’s servers and data hostage.

If the databases held personal user information, the impact of phishers getting their hands on that data could be massive: email credentials could let malicious actors send phishing emails directly from the domain, bypassing spam filters and gaining their victims’ trust in the process.

In addition, abusing database access credentials could help threat actors plant a shell interface on the web server, potentially resulting in full website takeover, as well as expansion to Sky’s other corporate networks.

Losing plain text credentials for internal servers and databases can spell disaster for any company. Considering the massive scope of disruption a complete network takeover would cause to both Sky and its clients, ransomware operators or affiliates would pay extremely handsomely for a leak of this type on the black market. Such misconfigurations are prime targets for ransomware cartels and bad actors looking to profit from mistakes made by companies of Sky’s size and importance.

The importance of educating support staff on responsible disclosure

In 2021, organizations that wish to avoid security breaches must react faster than ever, which is why technical support staff needs to be acquainted with responsible disclosure procedures. While we commend Sky for fixing the misconfiguration issue quickly and efficiently, getting to the right person has proven to be somewhat difficult.

Unfortunately, it took multiple phone calls with Sky support staff from several unrelated departments before we could reach someone capable of understanding the problem.

Moreover, Sky’s responsible disclosure help page includes an ‘Ask Sky Community’ button, which presumably allows security researchers (or anyone else, for that matter) to report vulnerabilities and security breaches directly to Sky’s public message boards. It goes without saying that the inclusion of the button left us speechless.

When it comes to reporting security breaches, every minute counts, and with the number of cyberattacks growing at unprecedented rates, organizations must focus on educating staff about security policies and disclosure procedures before it’s too late.


On October 8, we reached out to Sky to inform them of the leak and help secure the exposed configuration file. We also asked the company for a comment and posed further questions regarding the incident.

On the same day, a Sky representative informed CyberNews that following an internal investigation, access to the file has been disabled and the servers are no longer accessible.

We will update the article as soon as we receive further comments from Sky.

About the author: CyberNews Team

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking,

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment