An open source bug reportedly leaves tons of sites susceptible to attack as git users keep exposing sensitive data via hidden folders.
An Open Source Bug Reportedly Leaves Tons of Sites Susceptible To Attack
Many websites at the moment including tons making use of the .gov domain are currently at risk of losing data, experts have warned.
Cybersecurity researchers from Defense.com recently have found a vulnerability in the open source development tool Git, which if not addressed quickly, gives threat actors the keys to the kingdom.
And apparently, there seems to be a number of .git folders that need to be hidden, but however, in many cases are not. While this may be seen as a serious issue, it is not entirely the fault of Git, claim the researchers, but rather that users of Git are refusing to follow up with best practices. With the help of a google dork specially created, a threat actor would be able to access these folders and then download their contents.
How to Eliminate the Risk
The files that are contained within these very folders usually account for the entirety of codebase history, previous code changes, security keys, comments, and also sensitive remote paths that are containing secrets and files with plain-text passwords.
And besides the obvious threat of exposing sensitive pieces of data and passwords, there also is another hidden threat as hackers could review the code and find more flaws with they will not be fixing buts rather abusing. What’s more, you probably should know is that these folders could be inclusive of database credentials and API keys, thus giving access to sensitive user data to threat actors.
What Defense.Com Has To Say About This Development
Defense.com says that 332,000 websites in total were found as potentially vulnerable and this is including 2,500 websites on the .gov domain.
“Open source(opens in new tab) technology always has the potential for security flaws, being rooted in publicly accessible code. However, this level of vulnerability is not acceptable,” Oliver Pinson-Roxburgh, CEO of Defense.com commented. “Organizations, including the UK government, must ensure they monitor their systems and take immediate steps to remediate risk.”
Git is a very popular open-source version control system, counting over 80 million active users, Pinson-Roxburgh adds citing that this type of vulnerability on a platform like this can have ‘serious consequences’ for affected platforms and companies.
He concluded by saying: “Whilst it is true that some folders would have been purposefully left accessible, the vast majority will be unaware of the threat they are facing.”