14 DAY TRIAL // Jamie Brown, developer and co-founder of British-Chinese fashion startup Chicmi, has published an interesting blog post in which he describes how many respectable websites are openly listing the content of their .git folder.
If you're not familiar with Git, it's a technology developed by Linus Torvalds, the inventor of Linux, created to aid in tracking changes and reverting code modifications made to the Linux kernel.
The technology is ten years old but has been widely adopted among Web, desktop, and mobile developers thanks to its ease of use and the success of GitHub.
To help track code changes, Git creates a hidden folder named ".git," which can hold a wide array of information. This can include basic code commits for the Git repo but can also hold some of the information stored inside the repo like FTP credentials, API keys, database logins, and other sensitive details.
Developers who do know this fact usually protect their .git folder from ever reaching their production code, or if they leave it online, they usually protect it by preventing public access to it.
0.16% of the Internet lists its .git folder
Mr. Brown's research into this matter reveals that, out of the 1.5 million sites he scanned, 2,402 of them had their .git folder exposed. Some of the sites are quite respectable ones, including major media outlets like the BBC, The Guardian, and several websites for government bodies and educational institutes.
While most of the content he found inside them was harmless, some of them also contained some worrying details.
"One prominent human rights group exposed every single person who had signed up to a gay rights campaign (including their home address and email addresses)," says Mr. Brown.
"One company that sold digital reports provided its entire database of reports free of charge to anyone who wanted to download their .git folder," he also adds.
If you work with Git, the first step is to check if you're vulnerable to this problem by going to http://www.yourdomain.com/.git/
If your browser lists the content of the folder, then you immediately need to set up an .htaccess file inside it and prevent users from viewing it.
After you make sure that nobody is able to view it anymore, you can start going through its content and see if any sensitive data was exposed in the past.
If so, the most obvious step is to change all of the exposed credentials and do it right away. Remember, hackers read the same news as you do, and they won't be shy to exploit Mr. Brown's findings.