“The GDPR fever opened a greatly beneficial discussion on privacy protection – before that, nobody cared!”
Earlier this month, we reviewed the research of Vladimír Smitka on open .git folders in websites globally. The results of his research were remarkable – 390,000 web pages were found with open .git directory! So we invited Vladimir for a talk on his research, GDPR implications and his views on open source vulnerabilities.
JAXenter: Your recent project for a global scan of the .git folder on international websites must have been an enormous endeavor. I must congratulate you on the effort but how did you come up with the idea and why?
Vladimír Smitka: First of all, thank you. This isn’t my first time working on security research. I’ve completed dozens of smaller-scale research projects, and in doing so, have already encountered this issue. I wondered if it was just a marginal concern or a really widespread problem. As I mentioned in my article, I focused on the Czech environment at first and my presumption was confirmed. At that time, I was preparing a presentation about WordPress security for WordCamp Bratislava, and exposed .git was one of the concerns I brought up in my presentation. This issue is unique because it reveals the developer’s email address and finding the relevant contact is usually the most challenging task. This deadly combination, ease of contact and severity of consequences, convinced me that expanding the research worldwide made perfect sense.
JAXenter: The results of your research are amazing. One of the first things I did after reading your post was to perform the test on some websites myself! You describe your process in sufficient detail in your article so I don’t want to bother you with that. However, I have to ask, was it more of a planned project or you just came up with the next steps while you were at it?
Vladimír Smitka: I have a proven basic methodology for similar types of research. I know exactly what I am looking for, what I want to achieve, and what I will do with the results. However, each research project has its own specifics, and the procedure is modified by current findings, so the path is always a little different. Namely, in this particular case, I knew I wanted to get a list of domains, but I built it bigger than I had originally expected. So I had to deal with how to categorize it better, and, for example, find out whether it makes sense to divide it geographically. That worked fine for domains like .co, .uk, and .nz, but the real challenge was what to do with the huge number of generic domains (like .com), which could not be sorted by location.
It is necessary to keep in mind that what doesn’t seem like a problem today may be a problem tomorrow. Even if there isn’t any sensitive data accessible now, it can become so later on.
JAXenter: Moving on to more serious aspects, the open source ecosystem of Apache seems to be taking a hit lately. Your research discovered that most affected websites with an open .git folder were using the Apache HTTP Server and most recently, a crucial vulnerability was discovered in Apache Struts that threatened remote code execution. What’s more, some months ago, the Synopsys Open Source Security Risk Analysis (OSSRA) report showed significant vulnerabilities in the open source ecosystem. As a security specialist, what is your take on the situation?
Vladimír Smitka: That is a truly difficult question. I don’t view open source with such hopelessness. On the contrary, I’m a big fan of open source projects. There are lots of clear advantages against the closed ecosystem – e.g. when a bug occurs, it is fixed very quickly and the community knows about it. If a critical issue occurs in a closed source system, it may persist for a long time, and users may not be informed at all and may not even know the need to update (a great example is various network devices). Of course, I recommend that every opensource user watch what is happening with the system they use. A great way to do this is to actively participate in and stay up-to-date with threads.
Actually, research has shown that the problem is often not in the open source itself, but in misconfigured web servers. Most of the problems are caused by insufficient communication between the developer and the server administrator. In many cases, it was possible to download all the source files of the application, which is a mistake in the configuration, not in the application itself. It had nothing to do with open vs. closed source. The information from the .git folder only gave me a hint of where to look.
JAXenter: I am sure you have discussed this topic countless times by now, but let us go back to the GDPR fever. What are the GDPR implications of the results of your research? I can only imagine that websites with open.git folders that allow access to personal data can be at high risk of breaching the GDPR.
Vladimír Smitka: In central Europe, where I am familiar with the happenings around GDPR, the fever opened the discussion on privacy protection. I think this is a great benefit because almost nobody cared about it before. The impact varies from website to website. I found many simple static sites with (probably) no sensitive data. On the other hand, I also found the website of a medical software company where medical records of thousands of patients were accessible in the .git folder, which is obviously an extremely serious problem. I try to solve this kind of cases individually, and in this case, they ignored my emails, so I had to call them in person. After the call, they finally started to take this issue seriously and fixed it. It is necessary to keep in mind that what doesn’t seem like a problem today may be a problem tomorrow. Even if there isn’t any sensitive data accessible now, it can become so later on.
JAXenter: Finally, just for the record, what happened with that threat to call Canadian police that you received? I hope they didn’t follow through with it!
Vladimír Smitka: Fortunately, they haven’t contacted me yet, it’s not easy to find the Czech Republic on a map. What’s more, I was actually surprised that I received so few complaints and threats compared to my other research. I think it was because of the uniqueness of this project as I gained direct contacts with the developers, and they can usually comprehend the consequences. For that very reason, I received an incredible amount of positive feedback, which makes me happy and encourages me to continue with my security research.