We will try to answer some questions about the .DS_Store files and this tool:

What is a .DS_Store file?

It is a file (format) that is used by Apple's MacOs to store meta information about a folder. You will likely never see this file, because it is prepended with a dot (".DS_Store") and therefore not shown in your Finder by default. Nevertheless, it probably exists in allmost all your folders and contains information like a list of all file names in that particular folder. If you want to learn more about this file, you can check out the Wikipedia article. If you're tech savvy, you may be interested in our research or Sebastian's detailed analysis on 0day.work.

Are there any security implications?

We are confident to answer this question with "yes". Our research showed that websites from the Alexa Top 1M (a list of most-visited websites) are exposing the .DS_Store file on their webservers. We found out that sensitive information could potentially be downloaded by accessing files on the webserver that were obtained by parsing the .DS_Store files. For example, backups, configuration files, certificate files, databases...
However, the file names in the .DS_Store file only represent the state on the developer's machine and usually not the actual folder contents on the webserver (if they're not the same!).

Is my website affected?

Mostlikely it is NOT unless your developers work on MacOs and uploaded the .DS_Store files to the webserver's document root without removing the file(s) first. You can check the existence of that file by navigating to any (sub)folder at your website, e.g. http(s)://your-domain.tld/.DS_Store If a download starts, you are probably affected and we advise you to check the file names with our tool.

What does this tool/website do?

This website lets you upload a .DS_Store file to extract the stored file names. It uses Sebastian's Python version of the parser (Code on GitHub) and uses Flask as the webserver. The parser is probably not feature-complete, so it might not work with all .DS_Store files. The file size limit is 1 MB. We do not store neither the uploaded file nor the parsed file names.

Intended use

Please only use this tool on your own risk and preferably for educational purposes only. We belive that publishing this tool will help people to understand the (security) risks of (unknowingly) distributing the file and you're welcome to upload your own .DS_Store files to see what information others can see if they obtain a copy.

Other questions?

If we haven't answered your question yet, feel free to send us an email to contact [a.t] internetwache.org!