- According to the report published by Defense.com, there are 332,000 websites, including 2,500 on UK government domains failed to secure the .git folder.
- The folder includes the entire codebase history, previous code changes, comments, security keys, and sensitive remote paths containing secrets and files with plain-text passwords.
- Hackers can exploit this vulnerability to steal their entire codebase, history, and previous code changes and find additional flaws.
Cybersecurity researchers from Defense.com announced that they have discovered a vulnerability in the open-source tool, Git, which can allow attackers to steal their entire codebase, history, and previous code changes. The report says that there are 332,000 websites, including 2,500 belonging to UK government domains, that have failed to secure the .git folder, which is created by the tool. The most popular platform to host the Git project is GitHub, which has over 83 million members.
Including UK government domains
According to the report, the websites that leave the .git folder open and accessible to the public web are vulnerable to exploitation by threat actors, exposing themselves to a high level of risk and many organizations are unaware of the issue. Although Git project leaders are addressing security flaws with updates, researchers claim that it depends on how the organizations are using those tools.
These folders mostly include the entire codebase history, previous code changes, comments, security keys, and sensitive remote paths containing secrets and files with plain-text passwords. Attackers can also find additional flaws by reviewing the code which can cause attackers to execute more severe attacks.
The report also says that it is an easy problem to fix. Removing the .git from the deployment process and adding filters to the default configuration to block access to sensitive directories can eliminate the risk. Oliver Pinson-Roxburgh, CEO of Defense.com said,
« Open source technology always has the potential for security flaws, being rooted in publicly accessible code. However, this level of vulnerability is not acceptable. Organizations, including the UK government, must ensure they monitor their systems and take immediate steps to remediate risk. Whilst it is true that some folders would have been purposefully left accessible, the vast majority will be unaware of the threat they are facing. »