Researchers discovered a .git folder exposing passwords and more for a website that gives advice to organizations about complying with the General Data Protection Regulation (GDPR) rules.
A website that gives advice on privacy regulation compliance has fixed a security issue that was exposing MySQL database settings — including passwords — to anyone on the internet.
The website, GDPR.EU, is an advice site for organizations that are struggling to comply with the General Data Protection Regulation (GDPR) laws that were imposed by the EU in 2018. The website is operated by Proton Technologies AG, the company behind end-to-end encrypted mail service ProtonMail. While it isn’t an official EU commission site, it is partly co-funded by the Horizon 2020 Framework Programme of the European Union, an EU research and innovation program.
The issue was “easily found, quickly fixed, so a result all round,” said Vangelis Stykas and Joe Durbin, researchers with Pen Test Partners, in a Monday post. “However, the irony of a EU-funded web site about GDPR having security issues isn’t lost on us.”
Stykas and Durbin said the issue stemmed from the website’s .git folder being readable by anyone online. This is a known problem due to lack of proper configuration – and one that’s been around for years.
Many web developers use the open-source development Git tool to build their pages, which tracks all changes made to files in the project. The tool builds this history over time in the standard .git information repository folder. However, if the .git folder is not secured properly, the file is world-readable on the public internet (and even occasionally indexed by Google). Access to the .git folder could lay bare source code, server access keys, database passwords, hosted files, encryption salts and more.
Researchers were able to discover the open .git folder on GDPR.EU using a simple DotGit browser plugin, which checks whether .git is exposed on a given website. Upon further investigation, researchers were able to view various WordPress pages associated with the website – including wp-config, a core WordPress file that contains information necessary to making the WordPress website operate. As part of that file, researchers were able to view the open source MySQL database management settings — such as name, host (typically localhost), username and password.
“This is an internal system, so it wouldn’t be a trivial matter to compromise it externally unless the password is re-used elsewhere, but there could be other routes,” the researchers said. “For example, ‘Authentication Unique Keys and Salts’ are of concern, as these have been used in the past to forge administrative cookies, which could potentially be used to deface or compromise the site.”
Researchers said that Proton Technologies responded “reasonably quickly” and fixed the vulnerability four days after it was reported. In the meantime, researchers urge website administrators to remove the Git directory from their sites to improve security.
“Removing the /.git/ directory from all published sites is strongly recommended, in order to prevent exposing sensitive data,” said researchers. “If your site is found to have this folder available, the contents should be reviewed and any password contained in accessible files should be changed as they should be classed as compromised.”
Open .git directories are a common problem – a scan of more than 230 million web domains worldwide in 2018, in fact, uncovered 390,000 web pages that were vulnerable due to the issue.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.