- Proton has made a configuration mistake on “GDPR.EU,” leaving its “git” repo exposed publicly.
- The discovery was simple, as a browser extension could catch the mistake, and the fix was prompt too.
- No sensitive data have been exposed as a result of this incident, but this was a key example of basic security practices nonetheless.
The GDPR compliance advisory website “GDPR.EU” has had a data security incident, as a misconfiguration potentially allowed anyone to clone its Git repository and extract usernames and passwords from its MySQL database. There’s an obvious element of irony here as a website that is consulting visitors on how to comply with data protection requirements has failed to protect its own sets of data. To make matters worse, the particular online portal is operated by “Proton Technologies AG,” the Swiss security and privacy expert who offers advanced end-to-end encrypted email communication products.
Penetration testers discovered the vulnerability, and Proton was quick to respond to their reports by fixing the bug in four days. The testers realized the problem thanks to the “DotGit” browser plugin that checks if “/.git/” is exposed on the visited website. To their surprise, GDPR.EU had its Git repo exposed, so it was possible to clone it. In addition to this, by using the authentication keys and MySQL passwords, the reporters claim that it would be possible to deface or compromise the website. However, the following response that we received from Proton disputes this claim.
“We were informed of this issue on Friday, the 24th of April and a fix was deployed shortly afterwards. gdpr.eu is hosted on independent third party infrastructure, does not contain any user data, and the information in the exposed git folder cannot lead to the gdpr.eu being defaced because database access is limited to internal only. Nevertheless, this is a legitimate finding under our bug bounty program. It’s important to note that no personal information is stored at gdpr.eu and at no point was any sensitive data at risk.”
Whatever the case is, removing the “/.git/” directory from published sites is a basic precaution to prevent exposure. Even if there were no sensitive data to be exposed in this case, this shouldn’t be an excuse for not following proper safety practices. Of course, even the most successful experts in the field of security can make mistakes and suffer from misconfigurations. These can go unnoticed when they happen in less critical environments and platforms, such as the “GDPR.EU.” All that said, let this be a case that raises security awareness to other website administrators.