Czech security researcher Vladimír Smitka is warning website operators to take a closer look at how they configure their site, in particular if they use a git to deploy and manage it.
Smitka recently scanned 230 million "interesting" sites across the globe over one month and found 390,000 web pages with an open .git directory.
Smitka said this situation represented "a nasty problem", because unauthorized outsiders can access current and past files with information about the website's structure, or very sensitive data such as database passwords, API keys, and more.
An attacker could use this access to slowly reconstruct a site's git repository or delve into what libraries are used, and from there discover potential vulnerabilities.
He kicked off the global scan after doing a narrower scan of Czech and Slovak sites, which turned up over 2,000 sites with exposed .git folders in a publicly accessible part of the site.
On some of the exposed sites he found database passwords and unauthenticated uploaders.
But the motivation for the worldwide scan was that he found it relatively easy to find contact details for owners of the affected Czech and Slovak sites to fix the problem.
Normally <web-site>/.git/HEAD shouldn't be publicly accessible, but on vulnerable sites it is, and that directory contains a list of commits and details about contributors, including their email addresses.
Plus, his alerts were fairly quickly acted upon. A month after sending 2,000 alerts, he rescanned the sites and found .git folders only accessible on 874 sites, meaning a 55 percent success rate.
Opinion: To sign up for Google's Advanced protection program, you must buy security keys from a Chinese vendor. Security questions have since been raised considering current intelligence laws in China.