Hackers have far an excessive amount of to realize from uncovered Git configuration recordsdata. “In some instances, if the total .git listing can be uncovered, attackers could possibly reconstruct the whole codebase — together with commit historical past, which can comprise confidential data, credentials, or delicate logic,” researchers mentioned.
Final week, cybersecurity researcher Sharon Brizinov reported gathering $64,000 in bug bounty winnings for locating dozens of GitHub repositories nonetheless exposing secrets and techniques from deleted recordsdata owing to Git’s retention of code modifications and related recordsdata even after deletion.
The chain of Web Archive breaches from October 2024 was reportedly carried out utilizing credentials (Gitlab secrets and techniques) stolen in the identical manner. GreyNoise beneficial proscribing .git listing entry from public internet servers, blocking entry to hidden recordsdata and folders in internet server configurations, checking logs for repeated requests for .git/config, and rotating any credentials uncovered in model management historical past, to remain forward of hackers.
