One in 600 websites exposes sensitive info via easily accessible .git folder

Git is the most popular tool for software version control out there. Created by Linus Torvalds to facilitate Linux kernel development, Git is a boon for software developers as it allows different developers to track the changes made to the code every step of the way, allowing them to easily choose which changes will be accepted and which not.

Unfortunately, less experienced developers don’t know that git keeps track of the changes by storing them in a hidden folder (.git).

“For web developers, exposing your .git folder to the world is a novice mistake. It allows anyone to download your entire source code repository, which often includes database passwords, salts, hashes, and third party API keys or usernames and passwords,” warns developer and consultant Jamie Brown, who’s also the co-founder of British-Chinese fashion startup Chicmi.

He recently went through a previously compiled database of some 1.5 million of “reasonably respected domains”, which includes government, educational, military domains as well as high profile news sites like those of the BBC and The Guardian, and discovered that 2,402 have their .git folder exposed and downloadable.

And while some of these folders didn’t contain sensitive data, others did: database passwords, FTP details for web servers, backups, content meant to be hidden.

“One prominent human rights group exposed every single person who had signed up to a gay rights campaign (including their home address and email addresses) in a CSV file in their Git repository, publicly downloadable from their website,” Brown noted. “One company that sold digital reports provided its entire database of reports free of charge to anyone who wanted to download their .git folder.”

He urges developers to check whether they are one of those who have not secured their .git folder, and to do so immediately, then go through it to see what kind of sensitive information might have been accessed, and to change it (e.g. passwords, keys, etc.).

Checking whether the folder is accessible is as easy as visiting

“Ideally delete the folder and find a better way to deploy your code, or at least make sure access is forbidden using an .htaccess,” he concluded.