Czech security researcher Vladimír Smitka is warning website operators to take a closer look at how they configure their site, in particular if they use a git to deploy and manage it.
Smitka recently scanned 230 million "interesting" sites across the globe over one month and found 390,000 web pages with an open .git directory.
Smitka said this situation represented "a nasty problem", because unauthorized outsiders can access current and past files with information about the website's structure, or very sensitive data such as database passwords, API keys, and more.
An attacker could use this access to slowly reconstruct a site's git repository or delve into what libraries are used, and from there discover potential vulnerabilities.
He kicked off the global scan after doing a narrower scan of Czech and Slovak sites, which turned up over 2,000 sites with exposed .git folders in a publicly accessible part of the site.
On some of the exposed sites he found database passwords and unauthenticated uploaders.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)
But the motivation for the worldwide scan was that he found it relatively easy to find contact details for owners of the affected Czech and Slovak sites to fix the problem.
Normally <web-site>/.git/HEAD shouldn't be publicly accessible, but on vulnerable sites it is, and that directory contains a list of commits and details about contributors, including their email addresses.
Plus, his alerts were fairly quickly acted upon. A month after sending 2,000 alerts, he rescanned the sites and found .git folders only accessible on 874 sites, meaning a 55 percent success rate.
After completing the global scan he sent out another batch of 90,000 emails to affected site admins, which directed them to his landing page where he's described the issue and steps for mitigation.
"Just for clarification, I didn't hack your site," Smitka stresses on his site.
"I'm a security researcher/white hat/ethical hacker and I only detected a security problem on your website," he said.
"No sensitive data was downloaded from your site except for your email address, which will be forgotten after the research. I won't store it or use it for any other purposes."
For the most part his email alerts have been well received, leading to 300 additional messages from affected parties, and 2,000 thank-you emails.
However, he's also received one threat to call the Canadian police and two accusations that he was a spammer.
Previous and related coverage
Expect wide and fast adoption of the latest web encryption protocol after engineers finalise Transport Layer Security (TLS) version 1.3.
Opinion: To sign up for Google's Advanced protection program, you must buy security keys from a Chinese vendor. Security questions have since been raised considering current intelligence laws in China.
The platform's link security infrastructure now includes HSTS preloading.
Who is responsible for cloud security: The service provider or the customer? Many people view it as a shared-responsibility relationship. Here are best practices for managing that relationship.
Take note if you see the warning, but don't panic.