A misconfiguration in GDPR.EU website allowed anyone to clone the Git repository. This could let anyone extract username and password from the MySQL database.
For the uninitiated, GPDR.EU is a website that is consulting visitors ‘How to comply with the data protection requirements on collecting data from website users’. And the same website regulating things failed to protect their own data.
The affected online portal of the site is managed and operated by Proton Technologies AG. Proton Technologies AG is a swiss security and privacy company offering end-to-end encrypted email communication services.
Shortly after fixing the issue, Proton Technologies said, “We were informed of this issue on Friday, the 24th of April and a fix was deployed shortly afterwards. gdpr.eu is hosted on independent third party infrastructure, does not contain any user data, and the information in the exposed git folder cannot lead to the gdpr.eu being defaced because database access is limited to internal only. Nevertheless, this is a legitimate finding under our bug bounty program. It’s important to note that no personal information is stored at gdpr.eu and at no point was any sensitive data at risk.”
DotGit is a simple browser extension that checks if the /.git/ is publically exposed on a visited website or not. Unexpectedly, the same gdpr.eu’s repo was exposed to publically.
As soon as Proton Technologies discovered the vulnerability, they immediately fixed the issue in 4 days. In this case, there was no sensitive data that was exposed. But everyone should more cautious while handling this sort of data as it can leak a lot of sensitive information on the database. Even giant security and privacy companies can sometimes make a mistake and this is one of them. Every website administrators are advised to keep an eye on the security side of things so that something like this won’t happen in the future.