French rugby club Stade Français leaks source code

Pierluigi Paganini January 25, 2023

Prestigious club Stade Français potentially endangered its fans for over a year after leaking its website’s source code.

Stade Français is a professional rugby union club based in Paris. Founded in 1883 and competing in France’s premier rugby league, Top 14, it has established itself as one of the most successful teams in the country, with a dedicated fan base of hundreds of thousands of followers on social media.

Cybernews recently discovered that the server hosting the official Stade Français website was leaking its source code through the publicly accessible .git directory. The website provides fans with daily news updates, upcoming matches, match reviews, ticketing services, and a merchandise shop.

Poor access control to .git directories potentially enabled threat actors to make unauthorized changes to the club’s server. If the threat actors had exploited the vulnerability, it might have posed risks to the users’ data and could have potentially resulted in the takeover of the server.

Git is a popular tool that enables tracking code changes and helps programmers to collaborate. The .git directory is the place where the metadata and object database of the projects are stored.

screenshot of Guidus code leak
Client ID is left in the code that allows unauthorized threat actors to craft authorized requests to admin related endpoints

Serious security risks

Unsecured access to the website’s .git directory potentially allowed anyone to partially or fully download the application’s source code. It raises concern, since threat actors might have exploited the vulnerability to deceive users into installing malicious apps.

Threat actors might have also used the access to add skimmers, which allow payment card stealers into the website’s online store that would have compromised fans and therefore harmed the club’s reputation.

Also, researchers could find clients’ IDs while analyzing the source code. Having such information can potentially enable unauthorized actions on behalf of users or platform admins. The club’s .git was accessible for more than 420 days until Cybernews reached out to Stade Francais and it fixed the security issue.

screenshot of Guidus code leak
Git configuration file shows all the different working branches of the repository

Millions of .git folders accessible to public

Leaving the .git folder exposed allows threat actors to gain access to the source code repository, make changes or steal the code.

Despite the potential dangers, many companies still leave .git directories publicly accessible, endangering their business and customers. Previous research by Cybernews revealed that nearly two million .git folders containing vital project information are exposed to the public.

Over 31% of publicly accessible .git folders are located in the US, followed by China (8%) and Germany (6.5%.)

How to secure .git folders?

Give a look at the original post @

About the author: Paulina Okunytė 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, rugby )

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment