Developers expose their Git directories to the world


Git is a developer’s best friend… except when not used properly and exposes a site’s security.

The tool is used for version control. It tracks changes in code over time, so multiple developers can work together effectively and roll back if they need to.

Git is also the primary tool used to contribute to the GitHub social coding site, although it’s not the same thing.

It’s a glorious tool and fairly straightforward to use, but has a steep learning curve, as most of the interactions you’ll have with it will be through the command line.

Git can also catch inexperienced developers off guard.

Because it tracks your changes over time, it keeps them in a hidden folder called .git. To expose this to the world is catastrophic.

In many cases, revealing it means giving anyone access to source code, server access keys, database passwords, hosted files, encryption salts, etc.

Unfortunately, this is exactly what many websites do.

Jamie Brown, a developer, wrote on his blog that 1 in 600 websites have their .git file exposed to the world. It is a rookie mistake to make when deploying a site.

Brown says 2,402 of the 1.5 million sites he tracks have an exposed and downloadable .git file.

Brown gave me access to his database to verify the allegations. I was surprised by what I saw.

A number of large universities, nonprofits, and large corporations make the mistake of exposing their entire .git file to the root of their domain.

In many of these groups, the data is simply there, widely open to http://example.com/.git/, while waiting for an attacker to spot it.

Some of the .git directories are open, but harmless, as the developers have thought to exclude sensitive files from their version control. Others are not so harmless and include masses of sensitive data.

A major site with its wide open source code

Brown said a leading human rights group exposed everyone who signed up for a gay rights campaign, including their home and email addresses, in a CSV file followed by their Git repository.

In our testing, we came across a major nonprofit that had over four years of Git changes available online for the whole world to see, including SQL database backups.

We cannot name the companies in the spreadsheet as many of them still have sensitive data publicly available through this method, although I am working to contact some of the organizations.

Unfortunately for those who make this mistake, there are already tools available to help the casual hacker spot it.

A publicly available Chrome extension automatically tests for the existence of the directory and sends a notification when it is discovered on a site.

Screen_Shot_2015-07-27_at_4_24_34_PM

This is a stupid mistake with a simple fix: don’t upload your .git repository to your website.

While the Git repository containing keys, passwords, or hashing algorithms is widely open to those who know how to find it, no security can help prevent an attack.

There are other ways to mitigate the impact if the files were downloaded. Server administrators should disable browsing of file directories or add a write rule to servers to deny all access to the .git directory.

Many developers learn not to check sensitive files, like AWS access keys in GitHub, but seem to forget when deploying their sites how sensitive the .git directory is.

If you are responsible for a website, it is worth checking out at present to see if your .git directory is exposed and if so, delete it.

➤ One in 600 a .git website exposed [Jamie’s OC]



Comments are closed.