A link to the message below was emailed and messaged to persons where I’d identified the data exfiltration problem to exist.
You’re receiving this because I’ve reached out to you via Email, Twitter or LinkedIn to report a security issue with your website.
In the most simple terms:
- Visit https://yourdomain.ext/.git/config and if you get a download prompt or any information other than error 403 or 404, you may be vulnerable.
- The vulnerability will often allow anyone who notices the ability to download some or all of your websites code.
- This code usually contains weakness or passwords which could be used to further exploit your website, its data, or your customers.
- For an explanation of how the exploit works, or to download the tools which make exploiting this easy, see (NOT MY WEBSITE) https://github.com/internetwache/GitTools
After I detect the potential vulnerability, I check that data can be downloaded, I then notify the likely person(s) responsible and immediately DELETE all content from MY secure environment.
What you should do now:
- Contact your web hosting company or IT team, have them immediately block the .git folder from public access.
- Contact your website developer or IT team, have them review the security of their development and deployment processes.
What do I want? Nothing, what goes around comes around.
If you don’t understand and would like to contact me, reply to the message or you can find out more about me and my day jobs at https://carlheaton.com/.
If you would like to spread the word about this problem, you can install a Chrome browser plugin which will tell you when a site you visit has the .git directory available.
Thank you for your time, have a better/good week.