Thousands of Websites Expose Sensitive Data⌗
Code security firm Truffle Security has issued a critical warning regarding the security of thousands of websites listed in the Alexa top 1 million. According to their recent report, these websites are inadvertently leaking sensitive data, including credentials.
- 🚨 4,500 websites from the analyzed list exposed their
- 🧑💻 The
.gitdirectory contains critical information, such as code commits, file paths, version control details, and more.
- 🤯 In some cases, the entire private source code of the websites was exposed.
- ⚠️ Such exposed directories could potentially grant attackers access to source code, configuration files, commit history, and access credentials.
- 🌐 Attackers could leverage this information to target victims’ web applications or hunt for live credentials, including those related to services like AWS.
- 🛡️ Analysis revealed that AWS and GitHub keys were the most commonly leaked secrets, accounting for 45% of exposed credentials.
- 📧 Email marketing services, such as Mailgun, SendInBlue, Mailchimp, and Sendgrid, also featured prominently among the exposed keys.
Admin Privileges and More:
- 🧰 Notably, approximately 67% of the identified GitHub credentials held admin-level privileges.
- 💼 All exposed credentials had repo permissions, granting the potential for various malicious actions, such as implanting malware in the code.
- 🔑 Further scrutiny unveiled the exposure of private RSA keys corresponding to domain TLS certificates, raising concerns of man-in-the-middle attacks.
Mitigation Efforts and Scope:
- 📢 Truffle Security attempted to contact impacted site owners to address the vulnerabilities but reported mixed success.
- 🌍 The research focused on a specific subset of websites and directories, highlighting the need for broader vigilance in securing code repositories.
Read the full article for in-depth insights into this alarming security issue.
Stay secure online! 🔒