This article is more than 1 year old

ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online

Ooo, double irony!

An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password.

The vulnerability in question allowed the entire contents of the website's /.git/ repository to be cloned, as Pen Test Partners explained in a blog post about what it found on advice site

"The irony of a EU-funded website about GDPR having security issues isn't lost on us," mused the security consultancy. is run by Proton Technologies AG, better known as the Swiss corporation behind email service ProtonMail, which prides itself on being leader of the pack for all things security and privacy. While not an official site as such, it bears a prominent header that reads: "This project is co-funded by the Horizon 2020 Framework Programme of the European Union," along with an EU flag graphic.

Bridge in Sheffield city centre

Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard


Within the /.git/ repo were the keys to's WordPress kingdom: a full and unabridged copy of wp-config.php. In a WordPress installation, wp-config.php is the critical file containing a plaintext copy of the username and password for the SQL database powering the entire site. Someone malicious with those creds could wipe the site, rewrite its contents or deface it.

"This is an internal system, so it wouldn't be a trivial matter to compromise it externally unless the password is re-used elsewhere," noted PTP, in fairness to Proton Technologies.

A spokesman for Proton Technologies told The Register this was a "legitimate finding" while agreeing with the level of seriousness.

He said: "We were informed of this issue on Friday, the 24th of April, and a fix was deployed shortly afterwards. is hosted on independent third party infrastructure, does not contain any user data, and the information in the exposed git folder cannot lead to the being defaced because database access is limited to internal only. Nevertheless this is a legitimate finding under our bug bounty program. It's important to note that no personal information is stored at and at no point was any sensitive data at risk."

Should you have carelessly uploaded your /.git/ repository alongside your WordPress website, treat any creds in it – not just those in wp-config.php – as compromised and change them immediately, advised PTP. Such creds could include, for example, the admin username and password for the WordPress installation. ®

More about


Send us news

Other stories you might like