Prestigious club Stade Français potentially endangered its fans for over a year after leaking its website’s source code.
Stade Français is a professional rugby union club based in Paris. Founded in 1883 and competing in France’s premier rugby league, Top 14, it has established itself as one of the most successful teams in the country, with a dedicated fan base of hundreds of thousands of followers on social media.
Cybernews recently discovered that the server hosting the official Stade Français website was leaking its source code through the publicly accessible .git directory. The website provides fans with daily news updates, upcoming matches, match reviews, ticketing services, and a merchandise shop.
Poor access control to .git directories potentially enabled threat actors to make unauthorized changes to the club’s server. If the threat actors had exploited the vulnerability, it might have posed risks to the users' data and could have potentially resulted in the takeover of the server.
Git is a popular tool that enables tracking code changes and helps programmers to collaborate. The .git directory is the place where the metadata and object database of the projects are stored.
Serious security risks
Unsecured access to the website’s .git directory potentially allowed anyone to partially or fully download the application's source code. It raises concern, since threat actors might have exploited the vulnerability to deceive users into installing malicious apps.
Threat actors might have also used the access to add skimmers, which allow payment card stealers into the website’s online store that would have compromised fans and therefore harmed the club's reputation.
Also, researchers could find clients’ IDs while analyzing the source code. Having such information can potentially enable unauthorized actions on behalf of users or platform admins. The club’s .git was accessible for more than 420 days until Cybernews reached out to Stade Francais and it fixed the security issue.
Millions of .git folders accessible to public
Leaving the .git folder exposed allows threat actors to gain access to the source code repository, make changes or steal the code.
Despite the potential dangers, many companies still leave .git directories publicly accessible, endangering their business and customers. Previous research by Cybernews revealed that nearly two million .git folders containing vital project information are exposed to the public.
Over 31% of publicly accessible .git folders are located in the US, followed by China (8%) and Germany (6.5%.)
How to secure .git folders?
Cybernews reminds developers that restricting access to .git folders is essential. The .git folders contain sensitive information about the project, such as the history of code changes, the project’s metadata, passwords or keys, and contributors' data. Here is how to keep .git directories secure:
- The .git directory should always be hidden and not accessible to third parties. As many free-to-use tools and methods are available that obtain access to the repositories through leaked .git directories, it is essential to follow all security protocols inside and outside the repository.
- The .git directory is not intended to be uploaded online. One way it might end up on the web is when developers accidentally upload the whole application directory and therefore include .git, which might not always be visible in the file explorers. Checking a directory tree after each deployment should be on everyone's checklist.
- It is advisable to use the .gitignore file, which tells Git which files to ignore when committing your project to the GitHub repository. Such practice could save sensitive data from being exposed to the public by accident.
More from Cybernews:
Subscribe to our newsletter