Code security firm Truffle Security has issued a warning that many websites in the Alexa top 1 million list have exposed their .git directories, potentially allowing attackers access to an entire source code, including configuration files, commit history, and access credentials. An analysis of the exposed credentials revealed that Amazon Web Services and GitHub keys accounted for 45% of the leaked secrets. Around 67% of the exposed GitHub credentials were for accounts with admin-level privileges, which could potentially allow attackers to implant malware in the code. Truffle Security has attempted to contact the impacted site owners after verifying the exposed secrets, but not all have responded.
Read more: https://www.securityweek.com/researchers-find-thousands-of-popular-websites-leaking-secrets/