Denuvo helps protect games but failed to offer even basic protection for their own website
An oversight by game protection provider Denuvo has allowed anyone, including game crackers, to access sensitive files stored on Denuvo's website.
Several provide directories on the Denuvo website appears to have lost their protection, or were never properly protected in the first place, and it has allowed anyone with a web browser to download and view the private files.
Instead of password protecting these private directories, many did not even have the "directory listing" feature disabled, which is usually the first thing server admins turn off when setting up a new website. With directory listing turned on, anyone can browse the contents of any directory that doesn't automatically direct to a web viewable file (such as index.html).
Once the flaw was discovered, many were quick to explore just what is on Denuvo's website, and some interesting files were discovered. One file, which appears to be a mail log (ajax.log), contained customer service emails dating back to 2014. These emails include conversations with game publishers such as Capcom and even Google, with these companies asking for more information on Denuvo's DRM-but-not-DRM products.
The log also contained emails from angry pirates, demanding to know why the company was keen to "f*** over pc gamers with DRM bullsh**" (sic).
More worryingly, the log also contains unencrypted private information, such as emails and phone numbers, for companies working with or interested in working with Denuvo.
Other files discovered include logs for the website itself, plus executables, one of which was a slide presentation detailing the company various security products.
At the time of writing, it appears the web admin team at Denuvo has already wised up to the potential security breach and, at the very least, turned off directory listings, and also deleted some of the more sensitive files, such as the ajax.log mail log file.