14 DAY TRIAL // After scanning more than 230 million domains, Lynt Services' Czech security researcher Vladimir Smitka found more than 390.000 websites with source code .git repositories exposed to the web.
Although publicly available git repositories are not unheard of, with many of them to be found on online software development platforms such as GitHub, having a private repository shared publicly on the web is not a very good idea.
Developers and website administrators should take into account the fact that a production .git repository might contain sensitive data such as private API keys and database passwords.
Smitka tells in his report that "this data shouldn't be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices."
Furthermore, repo files such as .git/index can be used to collect information regarding the internal structure of the app, with the endpoints and internal app structure being the first ones that come to mind.
From a few thousands of vulnerable local websites, up to hundreds of thousands on a global scale
Smitka first started on a much smaller scale, scanning Czech and Slovakian websites. The results, 1,925 Czech sites and 931 open git sites from Slovakia, made him think that the problem is more severe than he previously thought.
The next step was to gather a massive list of 230 million domains and scan it using the same script used to find the misconfigured servers attached to Czech and Slovakian websites.
After four weeks, Smitka found an astonishing 390.000 websites with an exposed .git folder and decided to get in touch with the developers behind each site to let them know of his discovery and provide mitigation advice.
"After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue," the researcher states in his story. "I have received almost 2,000 thank-you emails, 30 false positives, 2 scammer/spammer accusations, and 1 threat to call the Canadian police."