London, 17th of August 2022 – New research from Defense.com™ found that 332,000 sites using the popular open source development tool, Git, are potentially at risk from hackers. The exposure of a sensitive .git folder leaves these businesses vulnerable to exploitation by threat actors and is a serious issue that many affected organizations are unaware of. Those that are aware are not following cybersecurity best practices and are exposing themselves to a high level of risk.
Crucially, the research uncovered that more than 2500 websites hosted on .gov domains are vulnerable to this exposure. The potential for critical government digital services being disrupted or exploited is high and must be addressed.
Oliver Pinson-Roxburgh, CEO of Defense.com, commented: “Git is a widely used open source version control system with over 83 million users of its website GitHub alone. A vulnerability of this type can have serious consequences for the organizations exposed. Whilst it is true that some folders would have been purposefully left accessible, the vast majority will be unaware of the threat they are facing.
Open source technology always has the potential for security flaws, being rooted in publicly accessible code. However, this level of vulnerability is not acceptable. Organizations, including the UK government, must ensure they monitor their systems and take immediate steps to remediate risk.”
The research showed:
- 332,000 websites were potentially vulnerable
- Including 2,500 websites hosted on .gov domains
- Hackers can download the entire codebase, history and previous code changes contained in the folder
Git project released an update in April to address various security flaws, such as the vulnerability affecting users on multi-user machines and the vulnerability affecting the git uninstaller. Research from Defense.com indicated that the fault didn’t actually lie with Git, but with Git users failing to follow best practice. The exposure of these hidden folders is concerning, by using a hacker’s favourite tool – Google – in the right way with a specially crafted Google dork (Google dorking is a hacking technique that uses Google search and other Google applications to find exposed online systems or data that Google has indexed), someone can find and access the .git folders that Google has indexed on a large scale.
With access to the .git directory and its files, a threat actor can download everything they contain, granting access to the entire codebase and its history, including previous code changes, comments, security keys, sensitive remote-paths that contain secrets and files with plain-text passwords. Database credentials and API keys could also be exposed that provide direct access to sensitive user data. The leaked source code itself leads not only to the public exposure of the intellectual property but also allows attackers the means to review the code. In turn, this means they can locate more vulnerabilities and potentially execute an even more severe attack.
Pinson-Roxburgh continues: “Although this is a serious vulnerability, it takes just a few steps to fix. This includes ensuring that the .git directory gets removed from the deployment process. Organizations should also add filters in the web servers’ default configurations, that block any access to the sensitive directory, whether it’s present or not. This will prevent accidental and unwitting exposure. This should safeguard your sensitive directory and circumvent exposure.”