Information Disclosure ( Gitignore files ) – Whatsapp

November 26, 2016 | Views: 3932

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Readers,

While conducting an assessment in WhatsApp web application, I noticed the .gitignore file was being exposed.

What are .gitignore files?

This is a user defined file which tells the “git” not to track certain files. For example: If you add a “temp.txt” file in your git repository and check the status using the command “git status”, it will display “temp.txt” being added.  In case, you don’t want temp.txt to be tracked, you specify the filename in your .gitignore file. If you want to ignore the complete folder, you can define it. It also allows to add * wildcards. 

.gitignore

temp.txt

assets/videos

assets/docs_*.php

Ex: You can find the sample .gitignore file of brakeman –

https://github.com/presidentbeef/brakeman/blob/master/.gitignore

If you notice carefully, .gitignore files discloses the folder structure and filenames. And it is usually present in the root of your main branch. While testing the WhatsApp web application, I happened to visit the following URL https://www.whatsapp.com/.gitignore. It downloaded the .gitignore file from the WhatsApp project.

.gitignore

node_modules/

As you can see, it discloses “node_modules” folder. They didn’t want changes done in node_modules folder to be tracked by git. I reported this issue to Facebook security team. Since it was not a sensitive disclosure, they rejected my submission.

pasted-image-0

Remediation: It’s a best practice to restrict access to .gitignore files.

Thanks and Regards,

Vinoth Kumar

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. I do not think it’s a vulnerability. Even Robots.txt, sitemap.xml gives you in the information of folders & directories. But still we use need them for webmasters. In fact it’s one of the way to say robots ‘Do not touch these dirs’

    I didn’t get point ‘Remediation: It’s a best practice to restrict access to .gitignore files.’

    gitignore itself a data restriction file

  2. Hi VikThorium,

    Thanks for pointing it out 🙂 You can inform the Cybrary team regarding the same.

    Regards,
    Vinoth Kumar
    http://www.tutorgeeks.net/

  3. Cybrary webpage itself has not restricted access to .gitignore file, check out:

    https://www.cybrary.it/.gitignore

    Here I see next:

    DOMPDF_LOG_OUTPUT_FILE
    wp-content/cache
    wp-content/uploads
    wp-config.php
    .htaccess

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel