Hundreds of thousands of websites, including some with UK government domains, that use the open source development tool Git are at risk of having their entire codebase, history and previous code changes stolen by hackers, a new report claims.

Leaving the .git folder exposed can allow hackers to gain access to website source code and sensitive information (Photo: Maximusnd/iStock)
Leaving the .git folder exposed can allow hackers to gain access to website source code and sensitive information (Photo courtesy of Maximusnd/iStock)

Cybersecurity platform Defense.com found that 332,000 websites, including 2,500 on UK government domains, had failed to secure this highly sensitive .git folder created by the tool.

Doing so “leaves these businesses vulnerable to exploitation by threat actors and is a serious issue that many affected organisations are unaware of”, the report claims. “Those that are aware are not following cybersecurity best practices and are exposing themselves to a high level of risk.”

Git is a widely used open source version control system used in application and website development. The most commonly used platform for hosting Git projects, GitHub, has over 83 million members.

An update was published by the Git project leaders in April to address a number of security flaws including a vulnerability affecting users on multi-user machines and another that affected the Git uninstaller, but researchers say the real issue lies with how the tools are being used.

They found that the fault didn’t actually lie with Git, but with Git users failing to follow best practice such as leaving hidden .git files exposed to Google and other search engines.

A Cabinet Office spokesperson told TechMonitor it regularly undertakes vulnerability testing to identify potential security issues and to ensure they are quickly resolved, adding “we continuously work with departments to ensure all government webpages have consistent and robust defences in place.”

Git users “unaware” of threat to directory

Oliver Pinson-Roxburgh, CEO of Defense.com, said a vulnerability like this can have serious consequences for an organisation. “Whilst it is true that some folders would have been purposefully left accessible, the vast majority will be unaware of the threat they are facing,” he said.

Pinson-Roxburgh said open source technology always has the potential for security flaws as it is rooted in publicly accessible code but the level of vulnerabilities seen in their research “is not acceptable”, saying that organisations including the UK government have to ensure they monitor systems and “take immediate steps to remediate risk”.

“The exposure of these hidden folders is concerning,” he warned. “Using a hacker’s favourite tool – Google – in the right way with a specially crafted Google dork someone can find and access the .git folders that Google has indexed on a large scale.”

Google dorking is a technique used by hackers that involves using Google search and other Google applications to find online systems or pieces of data not indexed by Google but still accessible on the open web – such as .git folders.

If a hacker gains access to the .git directory and the files contained within they can download the entire codebase and history of the website, but most worrying, according to the researchers is that often these folders include files with plain-text passwords, database credentials and API keys.

Gaining access to API keys and database logins could then provide a hacker with direct access to sensitive user data. Even gaining access to the source code of a website could allow for easier spoofing or the ability to find more vulnerabilities to execute an even more severe attack.

Pinson-Roxburgh said it was an easy problem to fix as it involves ensuring the .git is removed from the deployment process and filters should be added to the default configuration of the web server that blocks access to sensitive directories regardless of whether it is there or not.

“This will prevent accidental and unwitting exposure. This should safeguard your sensitive directory and circumvent exposure,” he said.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Coding assistants like GitHub Copilot are here to stay