Criminals never stop, Cyber criminals too, and so (Cyber) crime fighting can’t take a break either. But like we say at Shield every IT hero needs a good team behind them. Today we learned of a potential data breach threat lurching in git repositories. One of the good guys, Vladimír Smitka, reported that nearly 400,000 websites expose sensitive data in their repository files. It’s very likely other code repositories have similar issues but no research has been published that shows this… yet. So if you publish a website using git then you should make sure of these things:
1) Your .git directory isn’t publicly available.
2) There is no sensitive data in your repository files.
Vladimír found that “many developers do not follow best practices” and so sensitive data, like DB passwords are stored in the repository.
Vladimír Smitka is a security researcher and founder of Lynt Services, a Czech based technology services company. Since July he has been doing a global scan of websites to see if their .git directories expose sensitive data. He has found over 400,000 that do.
In his research posting Vladimír details his findings and the methods used along with recommended actions. We’ll leave the last word to him:
“If you use git to deploy your site, you shouldn’t leave the .git folder in a publicly accessible part of the site. If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world. You can easily verify these rules by trying to open the <web-site>/.git/HEAD – if setup correctly it shouldn’t [display files etc.]”
Please contact us to today to arrange a demo of Shield-Cybot and get a free network security assessment.
Plug holes before hackers find them! +1.855.787.7253 | firstname.lastname@example.org