Data Breach

French rugby club Stade Français leaks source code

Prestigious club Stade Français potentially endangered its fans for over a year after leaking its website’s source code.

Stade Français is a professional rugby union club based in Paris. Founded in 1883 and competing in France’s premier rugby league, Top 14, it has established itself as one of the most successful teams in the country, with a dedicated fan base of hundreds of thousands of followers on social media.

Cybernews recently discovered that the server hosting the official Stade Français website was leaking its source code through the publicly accessible .git directory. The website provides fans with daily news updates, upcoming matches, match reviews, ticketing services, and a merchandise shop.

Poor access control to .git directories potentially enabled threat actors to make unauthorized changes to the club’s server. If the threat actors had exploited the vulnerability, it might have posed risks to the users’ data and could have potentially resulted in the takeover of the server.

Git is a popular tool that enables tracking code changes and helps programmers to collaborate. The .git directory is the place where the metadata and object database of the projects are stored.

Client ID is left in the code that allows unauthorized threat actors to craft authorized requests to admin related endpoints

Serious security risks

Unsecured access to the website’s .git directory potentially allowed anyone to partially or fully download the application’s source code. It raises concern, since threat actors might have exploited the vulnerability to deceive users into installing malicious apps.

Threat actors might have also used the access to add skimmers, which allow payment card stealers into the website’s online store that would have compromised fans and therefore harmed the club’s reputation.

Also, researchers could find clients’ IDs while analyzing the source code. Having such information can potentially enable unauthorized actions on behalf of users or platform admins. The club’s .git was accessible for more than 420 days until Cybernews reached out to Stade Francais and it fixed the security issue.

Git configuration file shows all the different working branches of the repository

Millions of .git folders accessible to public

Leaving the .git folder exposed allows threat actors to gain access to the source code repository, make changes or steal the code.

Despite the potential dangers, many companies still leave .git directories publicly accessible, endangering their business and customers. Previous research by Cybernews revealed that nearly two million .git folders containing vital project information are exposed to the public.

Over 31% of publicly accessible .git folders are located in the US, followed by China (8%) and Germany (6.5%.)

How to secure .git folders?

Give a look at the original post @ https://cybernews.com/security/stade-francais-rugby-club-leaks-source-code/

About the author: Paulina Okunytė 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, rugby )

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Apple confirmed that Messages app flaw was actively exploited in the wild<gwmw style="display: none; background-color: transparent;"></gwmw>

Apple confirmed that a security flaw in its Messages app was actively exploited in the…

2 hours ago

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

5 hours ago

Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Security researchers at Citizen Lab revealed that Paragon's Graphite spyware can hack fully updated iPhones…

16 hours ago

SinoTrack GPS device flaws allow remote vehicle control and location tracking

Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by…

1 day ago

U.S. CISA adds Wazuh, and WebDAV flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Wazuh, and WebDAV flaws to its Known…

1 day ago

Exposed eyes: 40,000 security cameras vulnerable to remote hacking

Over 40,000 internet-exposed security cameras worldwide are vulnerable to remote hacking, posing serious privacy and…

1 day ago