Hundreds of thousands of websites, including some with UK government domains, that use the open-source development tool Git are at risk of having their entire code base, history and previous code changes stolen by hackers, according to a new report.
Cybersecurity platform Defense.com found that 332,000 websites, including 2,500 on UK government domains, failed to secure this highly sensitive .git file created by the tool.
This “leaves these businesses vulnerable to exploitation by threat actors and is a serious issue that many affected organizations are unaware of,” the report asserts. “Those in the know are not following cybersecurity best practices and are exposing themselves to a high level of risk.”
Git is an open-source version control system widely used in application and website development. The most widely used platform for hosting Git projects, GitHub, has over 83 million members.
An update was released by Git project managers in April to fix a number of security flaws, including a vulnerability affecting users on multi-user machines and another affecting the Git uninstaller, but the researchers say the real problem lies in how the tools are used. .
They found that the fault lies not actually with Git, but with Git users who do not follow best practices, such as leaving hidden .git files exposed to Google and other search engines.
Technical monitor contacted the Cabinet Office to comment on the report.
Git users “ignore” directory threat
Oliver Pinson-Roxburgh, CEO of Defense.com, said a vulnerability like this can have serious consequences for an organization. “While it is true that some records would have been deliberately left accessible, the vast majority will be unaware of the threat they face,” he said.
Content from our partners
Pinson-Roxburgh said open-source technology always has the potential for security vulnerabilities because it’s rooted in publicly available code, but the level of vulnerabilities found in their research “is not acceptable,” saying organizations , including the UK government, must ensure they monitor the systems. and “take immediate action to remedy the risk”.
“The exposure of these hidden folders is concerning,” he warned. “Using a hacker’s favorite tool – Google – the right way with a specially crafted Google dork, someone can find and access .git records that Google has indexed at scale.”
Google dorking is a technique used by hackers that involves using Google Search and other Google applications to find online systems or pieces of data not indexed by Google but still accessible on the open web, such as . git.
If a hacker gains access to the .git directory and the files it contains, they can download the entire codebase and website history, but most concerning, researchers say, is that these folders include often files with plain text passwords, database credentials and API keys.
Access to API keys and database connections could then provide a hacker with direct access to sensitive user data. Even gaining access to a website’s source code could allow for easier impersonation or the ability to find more vulnerabilities to execute an even more severe attack.
Pinson-Roxburgh said this is an easy problem to fix as it is to ensure that the .git is removed from the deployment process and filters need to be added to the default config of the web server that blocks access to sensitive directories whether they are there or not. not.
“This will prevent accidental and unintended exposure. This should protect your sensitive directory and prevent exposure,” he said.