Due to incorrect configuration of the Symphony PHP application (which ran in debug mode and “leaked” logs), the Last.fm streaming service had a credential leak, during which it revealed, among other things, the username and password of the administrator. With this access, an attacker could obtain and change the details of someone else’s Last.fm account.
The problem was discovered by SecurityDiscovery specialists Sebastian Kaul and Bob Dyachenko. They were the ones who noticed that the web application was exposing the “PHPinfo page and profiler logs with credentials” to outsiders. After examining the application more closely, the researchers also noticed that Symfony Profiler logs contain usernames, passwords, and secret tokens of several administrators.
The researcher explained to reporters at Bleeping Computer that he and his colleagues are now studying misconfigured Sympfony applications and fingerprinting using IoT search engines. As part of this project, copies were discovered belonging to CBS Interactive (the company that owns Last.fm).
As recently as last week, Dyachenko asked his Twitter followers to help connect with someone at CBS Interactive to notify the company of the issue. And although the researcher did not receive a response from the company, the problem has now been resolved.