A tech entrepreneur and consultant who keeps a database of 1.5 million respected domains, including government, educational and military websites, has found that one in 600 of them are 'dangerously exposed'.
Jamie Brown, co-founder at fashion app Chicmi, who built up the database as a personal project, believes he has discovered 'one of the biggest holes in the internet'.
The exploit relates to domains that leave their Git repository, which stores all of a site’s source code and database passwords, open for anyone to view and download.
While some of these repositories are harmless, many contain very sensitive customer information and make the websites far more vulnerable to cyber attacks.
According to Brown, 2,402 of the domains in his database have their Git folder exposed, hundreds of which list database passwords or include API keys for cloud services.
‘Others included FTP details to their own web server,’ he wrote on his blog. ‘Many contained database backups in .SQL files, or the contents of hidden folders that are meant to be restricted.’
In one example, a ‘prominent human rights group’ left a CSV file containing the name, home address and email address of every person who signed up to a gay rights campaign open for public download.
And a company that sells digital reports offered all of them for free download by leaving its Git folder exposed.
Brown advised web developers to immediately ‘lock down’ any Git folders that are visible on their websites.
‘Ideally delete the folder and find a better way to deploy your code, or at least make sure access is forbidden using an .htaccess.’
He also said any website that did have its Git folder exposed should assume someone had already downloaded everything.
‘Work out what they could have seen,’ he said. ‘What passwords, salts, hashes or API keys do you need to change? What data could they have accessed? What could they have done to alter or impair your service?
‘And then please spread the word among other developers too – because right now this must be one of the biggest holes in the internet.’