Project Information
Repository: https://github.com/Steemhunt/web
Platform: https://steemhunt.com
Expected Behaviour
.DS_Store file should be a hidden file and on calling it 403 Forbidden should be showed.
Actual Behaviour
.DS_Store file is visible publicly.
How to reproduce
Visit https://steemhunt.com/.DS_Store and download file locally.
In terminal use the following commnad to view the contents of DS_store file.
xxd -p path/to/.DS_Store | sed 's/00//g' | tr -d '\n' | sed 's/\([0-9A-F]\{2\}\)/0x\1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'
Impact
Though website does not host any crtical file now, but due to DS_store file one can download and view all files on the website.