The security researcher Fábio Castro discovered tens of thousands of Django apps that expose sensitive data because developers forget to disable the debug mode.

Security researchers have discovered misconfigured Django applications that are exposing sensitive information, including passwords, API keys, or AWS access tokens.

Django is a very popular high-level Python Web framework that allows rapid development of Python-based web applications.

The researcher Fábio Castro explained that installs expose data because developers forget to disable the debug mode for the Django app.

28,165 thousand django running servers are exposed on the internet, many are showing secret API keys, database passwords, amazon AWS keys. A small line http GET http://54.251.149.60:8081/ –body | grep 'DATABASE_URL|Mysql|AWS'#Shodan #django #hacking #cybersecurity #infosec pic.twitter.com/SV8v8KBJB6 — Fábio Castro ? (@6IX7ine) March 27, 2018

Castro found 28,165 apps querying Shodan for Django installs that have debug mode enabled.

I made the same query a few hours later and I obtained 28,911 results.

Many servers with debug mode enabled expose very, the experts discovered server passwords and AWS access tokens that could be used by hackers to gain full control of the systems.

“I found this as I was working with the Django framework on a small project,” Castro told Bleeping Computer “I noticed some error exception and then went searching on Shodan.”

“The main reason [for all the exposures] is the debug mode enabled,” Castro says. “This is not a failure from Django’s side. My recommendation is to disable debugging mode when deploying the application to production.”

Pierluigi Paganini

(Security Affairs – Django framework, hacking)

Share this...

Linkedin Reddit Pinterest

Share On