Almost 400k websites risk hacking, data theft via open .git repos, researcher warns

Your misconfigured website could be exposing sensitive data, including database passwords.
Written by Liam Tung, Contributing Writer

Czech security researcher Vladimír Smitka is warning website operators to take a closer look at how they configure their site, in particular if they use a git to deploy and manage it.

Smitka recently scanned 230 million "interesting" sites across the globe over one month and found 390,000 web pages with an open .git directory.

Smitka said this situation represented "a nasty problem", because unauthorized outsiders can access current and past files with information about the website's structure, or very sensitive data such as database passwords, API keys, and more.

An attacker could use this access to slowly reconstruct a site's git repository or delve into what libraries are used, and from there discover potential vulnerabilities.

He kicked off the global scan after doing a narrower scan of Czech and Slovak sites, which turned up over 2,000 sites with exposed .git folders in a publicly accessible part of the site.

On some of the exposed sites he found database passwords and unauthenticated uploaders.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

But the motivation for the worldwide scan was that he found it relatively easy to find contact details for owners of the affected Czech and Slovak sites to fix the problem.

Normally <web-site>/.git/HEAD shouldn't be publicly accessible, but on vulnerable sites it is, and that directory contains a list of commits and details about contributors, including their email addresses.

Plus, his alerts were fairly quickly acted upon. A month after sending 2,000 alerts, he rescanned the sites and found .git folders only accessible on 874 sites, meaning a 55 percent success rate.

After completing the global scan he sent out another batch of 90,000 emails to affected site admins, which directed them to his landing page where he's described the issue and steps for mitigation.

"Just for clarification, I didn't hack your site," Smitka stresses on his site.

"I'm a security researcher/white hat/ethical hacker and I only detected a security problem on your website," he said.

"No sensitive data was downloaded from your site except for your email address, which will be forgotten after the research. I won't store it or use it for any other purposes."

For the most part his email alerts have been well received, leading to 300 additional messages from affected parties, and 2,000 thank-you emails.

However, he's also received one threat to call the Canadian police and two accusations that he was a spammer.


Vladimír Smitka found 390,000 webpages with an open .git directory.

Image: Lynt Services

Previous and related coverage

Web security gets a boost as TLS gets major overhaul

Expect wide and fast adoption of the latest web encryption protocol after engineers finalise Transport Layer Security (TLS) version 1.3.

Why is Google selling potentially compromised Chinese security keys?

Opinion: To sign up for Google's Advanced protection program, you must buy security keys from a Chinese vendor. Security questions have since been raised considering current intelligence laws in China.

Facebook bumps up links to HTTPS to boost online security

The platform's link security infrastructure now includes HSTS preloading.

How to manage cloud security when providers and customers share responsibility TechRepublic

Who is responsible for cloud security: The service provider or the customer? Many people view it as a shared-responsibility relationship. Here are best practices for managing that relationship.

Chrome's long-promised HTTP 'not secure' website warnings arrive CNET

Take note if you see the warning, but don't panic.

Editorial standards