I get a pile of email that is worse than useless, but I just got one that was great!
Repo Lookout is a large-scale security scanner, with a single purpose: Find source code repositories that have been inadvertently exposed to the public and report them to the domain’s technical contact.
The email looked like:
Our security scanner Repo Lookout has found a likely vulnerability on a host for which you are listed as the contact!
Repo Lookout is a non-commercial project to find inadvertently publicly exposed source code repositories.
Details
The following URL was world-readable at the time of scanning (Nov 5 ’23):
REDACTED ONE OF MY DOMAINS
This allows (at least partial) access to the site’s underlying source code repository!For instance, the last 5 code commits have been:
- a28e41b0: misc refactoring
- db4d9dda: added commented out references to load.php file
- cb0c0166: fixed js and css references
- 394f12eb: moved js file, moved css, added load file
- b9a730c9: DRY: everythind id value turned into part of STATE
Such access to the repository could give a malicious actor insight into the structure of the site (e.g. hidden functionality, critical bugs, or credentials to third-party services) and enable downstream attacks (e.g. data leakage, phishing, and extortion).
If this was not intended, we highly recommend to disable access to the source code repository!
Note that if the repository was intentionally made available, no action is required.
This was on a repository I saved as private on GitHub – those last commits were 13 years ago.
13 YEARS.
The fix was to delete the .git
directory. I typically do an exclude for that directory when I am working on my website (which I’ve been doing a lot of lately) and copying up files with rsync
, and other projects typically have more robust deployment means than just “copy over a whole directory with FTP” which is how I made this mistake, uh, 13 years ago.
Heck yeah I sent them some money via Ko-Fi!