search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Mac OS X Finder creates world-readable ".FBCIndex" file thereby disclosing sensitive information

Vulnerability Note VU#177243

Original Release Date: 2002-08-05 | Last Revised: 2005-03-28


Mac OS X's Find-By-Content indexing may store file data where it can be served to remote users by Apache.


The Find-By-Content feature of Mac OS X generates indexing data from the contents of files in each directory. It then stores the indexing data for each directory in a hidden yet world-readable file named ".FBCIndex" within the same directory. If files in a directory served by the Apache Web server are indexed, the hidden index data file will be stored in the same directory where it can be viewed by remote users via HTTP.


Users may not be aware that their potentially sensitive file data is being indexed and stored where it can be served by Apache to the public.


The CERT/CC is currently unaware of a practical solution to this problem.

Turn off Find-By-Content indexing in Mac OS X.

Use Unix file permissions or Apache run-time configuration directives to limit access to the hidden index data file.

Vendor Information


Apple Computer Inc. Affected

Notified:  October 19, 2001 Updated: March 28, 2005



Vendor Statement

This is fixed in Mac OS X 10.2, Mac OS X Server 10.2, and later.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Eric Bennett for discovering this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 11.25
Date Public: 2001-09-10
Date First Published: 2002-08-05
Date Last Updated: 2005-03-28 15:51 UTC
Document Revision: 22

Sponsored by CISA.