After scanning more than 230 million domains, Lynt Services’ Czech security researcher Vladimir Smitka found more than 390.000 websites with source code .git repositories exposed to the web.
Although publicly available git repositories are not unheard of, with many of them to be found on online software development platforms such as GitHub, having a private repository shared publicly on the web is not a very good idea.
Developers and website administrators should take into account the fact that a production .git repository might contain sensitive data such as private API keys and database passwords.
Smitka tells in his report that “this data shouldn’t be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices.”
Furthermore, repo files such as .git/index can be used to collect information regarding the internal structure of the app, with the endpoints and internal app structur… (read more)
Source: Latest News