| 1 | 0400,000 Websites Vulnerable Through Exposed .git Directories (scmagazine.com) null/SLASHDOT/0102639752 70\r |
| 2 | i Thursday September 06, 2018 @11:30PM (msmash)\r |
| 3 | i from the security-woes dept.\r |
| 4 | i\r |
| 5 | i Open .git directories are a bigger cybersecurity problem than\r |
| 6 | i many might imagine, at least according to a Czech security\r |
| 7 | i researcher who discovered almost 400,000 web pages with an\r |
| 8 | i open .git directory possibly exposing a wide variety of data.\r |
| 9 | i From a report: Vladimir Smitka began his .git directory\r |
| 10 | i odyssey in July when he began looking at Czech websites to\r |
| 11 | i find how many were improperly configured and allow access to\r |
| 12 | i their .git folders within the file versions repository. Open\r |
| 13 | i .git directories are a particularly dangerous issue, he said,\r |
| 14 | i because they can contain a great deal of sensitive\r |
| 15 | i information. "Information about the website's structure, and\r |
| 16 | i sometimes you can get very sensitive data such as database\r |
| 17 | i passwords, API keys, development IDE settings, and so on.\r |
| 18 | i However, this data shouldn't be stored in the repository, but\r |
| 19 | i in previous scans of various security issues, I have found\r |
| 20 | i many developers that do not follow these best practices,"\r |
| 21 | i Smitka wrote. Smitka queried 230 million websites to discover\r |
| 22 | i the 390,000 allowing access to their .git directories. The\r |
| 23 | i vast majority of the websites with open directories had a .com\r |
| 24 | i TLD with .net, .de, .org and uk comprising most of the others.\r |
| 25 | i\r |