Hundreds of thousands of websites, including thousands using the .gov domain, are at risk of data loss (opens new window), experts warn.
Cybersecurity researchers at Defense.com have discovered a vulnerability in the open source development tool Git that, if left unpatched, gives threat actors the keys to the kingdom.
Apparently there are a number of .git folders that need to be hidden, but in many cases they are not. While this is a serious flaw, it's not Git's fault directly, the researchers say, but Git users not following best practices. With the help of a specially designed Google dork, a malicious actor could find these folders and download their contents.
Risk elimination
Files in these folders typically contain the entire history of the codebase, previous code changes, comments, security keys, as well as sensitive remote paths containing secrets and plaintext word password files. In addition to the obvious threat of exposing passwords and sensitive data, there is also a hidden threat: hackers could examine the code and find additional flaws that they are unlikely to fix, but rather misuse. Additionally, these folders can contain database credentials and API keys, further allowing threat actors to access sensitive user data.
In total, according to Defense.com, 332 websites were found to be potentially vulnerable, including 000 residing on the .gov domain.
"Open source technology (opens in a new tab) always has the potential for security vulnerabilities as it is embedded in publicly available code. However, this level of vulnerability is not acceptable," commented Oliver Pinson-Roxburgh , Defense.com CEO "Organizations, including the UK government, need to ensure they monitor their systems and take immediate action to remediate risks."
Git is an extremely popular open source version control system, with more than 80 million active users, adds Pinson-Roxburgh, saying that this type of vulnerability, on such a popular platform, can have "serious consequences" for companies. companies involved.
“While it is true that some files may have been deliberately left accessible, the vast majority will not be aware of the threat they face,” he concluded.