Hundreds of thousands of websites, including thousands using the .gov domain, are at risk of data loss (opens in a new tab)experts have warned.
Defense.com cybersecurity researchers have discovered a vulnerability in the open-source developer tool Git that, if left unpatched, gives threat actors the keys to the realm.
Apparently there are a number of .git folders that need to be hidden, but in many cases they are not. While this is a serious flaw, it’s not Git’s fault directly, the researchers say, but rather Git users who don’t follow best practices. With the help of a specially crafted Google dork, a malicious actor could find these folders and download their contents.
Elimination of risks
The files in these folders usually contain the entire codebase history, previous code changes, comments, security keys, as well as sensitive remote paths containing secrets and files with words password in plain text. Besides the obvious threat of exposing passwords and sensitive data, there is also a hidden threat – hackers could examine the code and find additional flaws that they are unlikely to fix but instead – misuse. Additionally, these folders can contain database credentials and API keys, further allowing threat actors to access sensitive user data.
In total, according to Defense.com, 332,000 websites were deemed potentially vulnerable, including 2,500 residing on the .gov domain.
“Open source (opens in a new tab) the technology still has the potential for security vulnerabilities, being rooted in publicly available code. However, this level of vulnerability is not acceptable,” commented Oliver Pinson-Roxburgh, CEO of Defense.com. “Organizations, including the UK government, must ensure they monitor their systems and take immediate action to address risks.”
Git is an extremely popular open-source version control system, with more than 80 million active users, adds Pinson-Roxburgh, saying that this type of vulnerability, on such a popular platform, can have “serious consequences”. for the companies concerned.
“While it is true that some files would have been deliberately left accessible, the vast majority will not be aware of the threat they face,” he concluded.