An analysis of over 2.5 million domains for public code repositories (Git) showed that more than 1000 public code repositories were found. In the code repositories you can find harmless things like templates or static HTML pages, but also complete code of web applications including their configuration with passwords for logins, databases, Office 365 logins, email accounts with passwords or private keys to communicate with payment providers. We even found usernames and passwords in the metadata of the repository itself, which allowed access to complete code management of companies. Even if there is no directory listing for the .git folder you can download the data.
In software development today it is standard to use a code management system. A system of this kind is Git (https://de.wikipedia.org/wiki/Git).
In a code management system the entire history of the source code is stored. It is possible to follow each change and to jump back to every previous version of the source code. However, some meta information about the project is stored in it.
When deploying a web application or website, the code is often loaded from the code management system. It can then happen through an incorrect configuration that the hidden .git folder is accessible. So the entire source code can often be retrieved with all the configuration files. For example: https://example.com/.git/
It is possible that the files in the .git folder are listed directly. But even if listing the files on the server is disabled, the files in the .git folder can be accessed directly. Often access to the .git folder is also possible if you omit www or vary http and https.
Access via https://www.example.com/.git/ is not possible. But access via https://example.com/.git is possible.
The entire code including old versions is visible. If an attacker has the complete code in front of him, it is much easier to find security holes and exploit them.
Often configuration files are stored in the Git repository. These can be usernames, passwords, access tokens and so on. These can then be abused to connect directly to the database, for example.
In the metadata of a Git repository, usernames and passwords can also be present in plain text. This allows an attacker to directly access the code management system and download all of a company's projects.
We have scanned over 2.5 million domains.
In some repositories only templates of the website were stored. In others the complete code of the website was available. We also found various usernames and passwords. These ranged from email accounts to database connections to usernames for the complete code management of companies.
Check if your webserver blocks the delivery of the .git folder
You can protect yourself from accidentally make the .git folder public by scanning your systems with nuclei a corresponding template, or you can use a service like this to automate the scan for all your subdomains.