An internet-wide scan on 230 million domains found 390,000 exposed source code directories.
The results, obtained by security researcher Vladimír Smitka, are a problem because access to the .git folder within the file versions repository contains a lot of information about the website's structure or worse.
"Sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on," Smitka said. "This data shouldn't be stored in the repository, but... I have found many many developers that do not follow these best practices."
There are exceptions where the repository's accessibility isn't a problem – all the content is already shared on GitHub, or it is composed of only a few static files. In most cases, however, such exposure, inadvertent or not, creates an unnecessary risk.
"If you use git to deploy your site, you shouldn't leave the .git folder in a publicly accessible part of the site," Smitka advised. "If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world."
Smitka ran the worldwide scan after completing smaller ones in the Czech Republic and neighbouring Slovakia. The global effort turned out to be a much tougher task that was stymied by tar pits, response timeouts and various other cyber-logistical problems.
The whole effort took around four weeks. Smitka then set about the semi-automated process of drawing up an email list, and notifying developers at affected sites about his discoveries and remediation advice, receiving a mixed response to his efforts.
"After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue," Smitka reported. "I have received almost 2,000 thank-you emails, 30 false positives, two scammer/spammer accusations, and one threat to call the Canadian police."
In his write-up, Smitka went on to break down the prevalence of potentially insecure systems uncovered through his scan by programming language, web server operating and other metrics. ®