Capital aired the web address for accessing accounts at a restaurant establishment during prime time. And it took him more than a week and the alert given by a tweeter before realizing his mistake and deleting the program in question.
What happens when a major channel displays an unencrypted URL in prime time, a URL that allows direct access to confidential data of a catering establishment ? Does the channel in question immediately realize its error and edit its replay accordingly? Not really. And even when a Twitter user followed by more than 75,000 people sounds the alarm, the little chain that rises is rather long to trigger.
It was this Sunday, July 31, 2022 that M6 broadcast its Capital program with the theme “Seaside: business that blazes at sunset”. Among the various reports from Julien Courbet’s show, one of them lingered on a bar / terrace. And among the various images that illustrated the lucrative side of the aperitif hour of this type of business, we could see… A Web address displayed in plain text, which allows access to the company’s accounts. Worse: the document is not only searchable, but it can also be edited by any Internet user.
Read also: the merger between TF1 and M6 could finally be canceled
Oops, M6 displays a URL allowing access to the confidential data of a bar
The document in question, whose Web address should certainly have been blurred before distribution, therefore provides access to bar financial results. Everything is there: the number of orders placed, the daily turnover of the company… Enough to delight competing establishments.
Unveiled on Twitter by Defend Intelligence, an AI engineer and famous Youtuber, the blunder also made Internet users happy. Because the confidential document is not only consultable, it can also be edited. Therefore, everyone is free to modify the data, delete it, add comments that have nothing to do with it, etc.
As of this writing, the show is no longer accessible on the M6 Replay platform. But it was still there in the middle of the afternoon. Beyond the question of knowing “whose fault” (M6 who forgot to blur the URL or the establishment in question who let the channel film a confidential document?), this blunder highlights the security and the sharing documents on the web. Because there was negligence for not having protected the document and making sure that only the employees and the person in charge of the establishment could have access to it.
If you don’t know it yet, here is the option that allows you to limit access to a Google Docs document or table (in edition and in consultation): File > To share > Share with other users > General access > Limit.
No need to be a big hacker to have access to a data leak.
Yesterday I found out in last week’s episode of @CapitalM6 displayed a computer screen of a financial statement with the sale details of a bar/patio with the CLEAR URL. And… 1/3 pic.twitter.com/oRczP40nl2
—Defend Intelligence (@DFintelligence) August 8, 2022