Information Disclosure ( Gitignore files ) – Whatsapp

November 26, 2016 | Views: 4265

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Readers,

While conducting an assessment in WhatsApp web application, I noticed the .gitignore file was being exposed.

What are .gitignore files?

This is a user defined file which tells the “git” not to track certain files. For example: If you add a “temp.txt” file in your git repository and check the status using the command “git status”, it will display “temp.txt” being added.  In case, you don’t want temp.txt to be tracked, you specify the filename in your .gitignore file. If you want to ignore the complete folder, you can define it. It also allows to add * wildcards. 





Ex: You can find the sample .gitignore file of brakeman –

If you notice carefully, .gitignore files discloses the folder structure and filenames. And it is usually present in the root of your main branch. While testing the WhatsApp web application, I happened to visit the following URL It downloaded the .gitignore file from the WhatsApp project.



As you can see, it discloses “node_modules” folder. They didn’t want changes done in node_modules folder to be tracked by git. I reported this issue to Facebook security team. Since it was not a sensitive disclosure, they rejected my submission.


Remediation: It’s a best practice to restrict access to .gitignore files.

Thanks and Regards,

Vinoth Kumar

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. I do not think it’s a vulnerability. Even Robots.txt, sitemap.xml gives you in the information of folders & directories. But still we use need them for webmasters. In fact it’s one of the way to say robots ‘Do not touch these dirs’

    I didn’t get point ‘Remediation: It’s a best practice to restrict access to .gitignore files.’

    gitignore itself a data restriction file

  2. Hi VikThorium,

    Thanks for pointing it out 🙂 You can inform the Cybrary team regarding the same.

    Vinoth Kumar

  3. Cybrary webpage itself has not restricted access to .gitignore file, check out:

    Here I see next:


Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?