Home 0P3N Blog Information Disclosure ( Gitignore files ) - Whatsapp
Ready to Start Your Career?
Create Free Account
By: vinothpkumar
November 26, 2016

Information Disclosure ( Gitignore files ) - Whatsapp

By: vinothpkumar
November 26, 2016
By: vinothpkumar
November 26, 2016

dsc_2816

Hi Readers,

While conducting an assessment in WhatsApp web application, I noticed the .gitignore file was being exposed.

What are .gitignore files?

This is a user defined file which tells the “git” not to track certain files. For example: If you add a “temp.txt" file in your git repository and check the status using the command “git status”, it will display “temp.txt” being added.  In case, you don’t want temp.txt to be tracked, you specify the filename in your .gitignore file. If you want to ignore the complete folder, you can define it. It also allows to add * wildcards. 

.gitignore

temp.txt

assets/videos

assets/docs_*.php

Ex: You can find the sample .gitignore file of brakeman -

https://github.com/presidentbeef/brakeman/blob/master/.gitignore

If you notice carefully, .gitignore files discloses the folder structure and filenames. And it is usually present in the root of your main branch. While testing the WhatsApp web application, I happened to visit the following URL https://www.whatsapp.com/.gitignore. It downloaded the .gitignore file from the WhatsApp project.

.gitignore

node_modules/

As you can see, it discloses “node_modules” folder. They didn’t want changes done in node_modules folder to be tracked by git. I reported this issue to Facebook security team. Since it was not a sensitive disclosure, they rejected my submission.

pasted-image-0

Remediation: It’s a best practice to restrict access to .gitignore files.

Thanks and Regards,

Vinoth Kumar

Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry