Vimeo: CRITICAL full source code/config disclosure for Cameo

2015-01-16T07:43:31
ID H1:43998
Type hackerone
Reporter avlidienbrunn
Modified 2015-05-11T08:07:15

Description

Hi!

The server at https://ci.cameo.tv/ has directory listing on and seems to host quiet a few debian packages containing extremely sensitive information (database paswords, API keys, you name it). One example is the config package containing 16 config files, even personal ones containing local passwords etc.

I think it's pretty obvious but you need to IMMEDIATELY remove the possibility to access this server from the internet. I also think that you should check your logs for this server, and consider changing all the passwords possibly leaked.

Mathias