According to TechMonitor, hundreds of thousands of websites, including some with UK government domains, that use the open source development tool Git are at risk of having their entire codebase, history and previous code changes stolen by hackers. Cybersecurity platform Defense.com found that 332,000 websites, including 2,500 on UK government domains, had failed to secure this highly sensitive .git folder created by the tool.
Doing so “leaves these businesses vulnerable to exploitation by threat actors and is a serious issue that many affected organisations are unaware of”, the report claims. “Those that are aware are not following cybersecurity best practices and are exposing themselves to a high level of risk.” An update was published by the Git project leaders in April to address a number of security flaws including a vulnerability affecting users on multi-user machines and another that affected the Git uninstaller, but researchers say the real issue lies with how the tools are being used.
They found that the fault didn’t actually lie with Git, but with Git users failing to follow best practice such as leaving hidden .git files exposed to Google and other search engines.