Cybernews reports that major software testing firm Applause had its credentials for various platforms exposed for three months due to an unsecured environment configuration file.
Included in the exposed .env file were Applause's credentials for Marketo, Salesforce, and Gotowebinar systems, which could result in the compromise of sensitive customer information, marketing details, and operational and financial data from its clients, which includes Microsoft, Google, Dow Jones, and Starbucks, among others, according to Cybernews researchers.
Applause also inadvertently leaked credentials for the WordPress Rocket plugin, which could be exploited to adversely affect website performance, as well as the location of the WordPress debug log tool for website troubleshooting before securing the file. Such a development highlights the security weaknesses presented by .env files.
"Multiple mistakes can lead to inadvertent exposures, such as access control misconfigurations, forgetting to update the .gitignore file, lack of IP whitelisting, insufficient use of secure and encrypted storage solutions, and others. It’s necessary to periodically check web server configuration, use online scanning tools, or manually try to access .env file through a web browser," researchers said.
