Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data.
Vladimír Smitka began his .git directory odyssey in July when he began looking at Czech websites to find how many were improperly configured and allow access to their .git folders within the file versions repository. Open .git directories are a particularly dangerous issue, he said, because they can contain a great deal of sensitive information.
“Information about the website's structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn't be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices,” Smitka wrote.
Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others.
What tends to happen is developers leave the .git folder in a publicly accessible portion of their site and when they go to verify whether or not the folder is protected many are fooled when they use <web-site>/.git/ and receive an Error 403 message. Smitka noted that this might make it appear as if the folder is inaccessible, but in fact the error message is a false positive.
“Actually, the 403 error is caused by the missing index.html or index.php and disabled autoindex functionality. However, access to the files is still possible,” he said adding the files can possibly even be viewable on Google.
Instead he recommends using <web-site>/.git/HEAD to ensure the folder is secure.
During his scanning process he was able to find 290,000 email address in the directories, so he set about trying to warn as many people as possible about their website's vulnerabilities. He boiled the initial list down to about 90,000 addresses by eliminating machine addresses and those associated with multiple domains. In the end 18,000 were kicked back as undeliverable.
“After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue. I have received almost 2,000 thank-you emails, 30 false positives, 2 scammer/spammer accusations, and 1 threat to call the Canadian police,” Smitka said.
The emails contain a link to a page Smitka created that explained and contained a mitigation for the problem.