“Nearly 400,000 websites are at risk of hacking through open .git folders.

Get a free Techzine subscription!

According to Czech security researcher Vladimír Smitka, almost 400,000 websites are at risk of being hacked. The reason is that the pages have an open .git folder. It concerns /.git/HEAD, which should not be publicly accessible.

This is dangerous because it allows malicious parties to access current and old files containing information about the structure of the website, or sensitive data such as passwords for databases. That’s what Smitka puts against ZDNet. This allows an attacker to slowly change the git repository of a website. It is also possible to see which libraries are being used and from there to find potential vulnerabilities.

In just one month, the researcher scanned 230 million “interesting” websites worldwide. 390,000 pages of which were found to contain this problem. On some of the websites, Smitka found passwords from databases and uploaders without authentication.

The scan started with websites in the Czech Republic and Slovakia. But after Smitka found so many vulnerable websites, he decided to expand the scan. Another reason for carrying out the scan on a large scale is that it turned out to be relatively easy to find the contact details of the owners of the websites. This allowed him to contact the owners so that they could solve the problem.

Notifications

Smitka sent 2,000 notifications to owners of vulnerable websites. After a month he scanned the websites again and discovered that the vulnerability now only occurred on 874 websites. This means that 55% of the people who received the message have solved the problem.

After the global scan, Smitka sent another 90,000 e-mails. He received a total of 300 messages from victims and 2,000 thank you emails.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.