GDPR.EU Was Meant to Give Advice on Virtual Privacy but It Exposed Passwords Instead

On Monday, Vangelis Stykas and Joe Durbin from Pen Test Partners wrote about 'the irony' of finding a data leak in GDPR.EU. As you can see, the leak (which has since been secured) was done by a website dedicated to the European Union's General Data Protection Regulation that was passed a couple of years ago. The web page was partially funded by the EU itself, and it's supposed to give organizations information on what they need to do to comply with GDPR.

You can see why someone might classify the leak as "ironic," but if you view the story from a different angle, you could argue that there's absolutely no irony in a GDPR-related website leaking data. Any website, regardless of its purpose, can theoretically become vulnerable to cyberattacks. What is ironic in this particular case, however, is how GDPR.EU leaked the data and who was responsible for its security.

An exposed .git folder put GDPR.EU at risk

GDPR.EU's developers used a development Git tool to track the versions of their code and the changes they make to it. When these tools are used to create websites, they put a lot of sensitive information (including the entire source code) in a .git folder, which, by default, is placed in the root directory. Often, developers tasked with launching a website simply copy/paste the root directory to the production server, and .git folders also end up online. Already, you have sensitive information available on the server, and if directory listing is enabled (a configuration mistake that is not as uncommon as it should be), browsing through it from anywhere in the world is trivial.

In the case of GDPR.EU, when Pen Test Partners' experts took a peek inside the .git folder, they found quite a few files created by WordPress, the content management system on which the website is built. One of them, wp-config.php, contained the password for GDPR.EU's MySQL database. As the researchers pointed out, this is an internal system, so using this password to corrupt or steal the database would not be easy. Nevertheless, password reuse is so common nowadays that we shouldn't rule out the chances of the same credentials unlocking other GDPR.EU-related resources. What's more, the .git folder also contained Authentication Unique Keys and Salts, which, according to Pen Test Partners, could allow attackers to deface or compromise the website.

Public .git folders have been a problem for a while now

.git folders are nothing new, and neither are the configuration errors that lead to their exposure. For years, security researchers have been talking about the importance of securing the data in .git folders, and quite a few surveys have been conducted, which show that developers and system administrators are failing to heed the advice. In 2018, for example, Czech security expert Vladimir Smitka scanned around 230 million domains and found that 390 thousand of them had their .git folders exposed. The scan cost him $250, which, considering how costly a single breach could be, is nothing. By contrast, Pen Test Partners didn't spend even a penny finding out that GDPR.EU had exposed its data.

There is a browser extension that can identify websites that leak data due to a public .git folder. It's called DotGit, and it's available completely free of charge. A member of the Pen Test Partners' team had it installed and was simply looking for more information on GDPR. This is how easy it was to find the data leak. Fortunately, fixing the problem didn't prove too difficult, either.

ProtonMail’s developers made the blunder

Within four days of the initial disclosure, the .git folder was secured, and the information was no longer publicly accessible. What is interesting (and slightly ironic) is that the company that operates and is responsible for the security of GDPR.EU is called Proton Technologies AG, the developer of ProtomMail. In other words, the people who promise users a completely secure end-to-end encrypted email service made a pretty basic configuration error that could have put an entire project at risk. Let's hope we see fewer such incidents in the future.