While the source code for any website is available to anyone who can right-click, this only covers client-side stuff. To view the actual server code where the magic happens, you’d need secure access to the website’s hardware. But why make it so hard for hackers and other ne’er-do-wells, when you could just publish this code to your front-facing production site… like eBay Japan did.
During a “research project” to “find critical vulnerabilities in Alexa Top 1 Million websites”, Austrian security consultant David Wind discovered that eBay Japan had unwittingly published its Git repository to its live website.
Git is a type of version control software, where developers can “commit” source code changes over time. As such, it’s possible to not only view the current state of the code, but all the alterations that have been made to it.
Even worse, eBay Japan’s repository contained very sensitive information — more than enough for Wind to cripple the site, if he so desired:
I was able to download about 700 MB of compressed data. After extracting, I got 1.2 GB of data to go through. The data-set contained:
- WordPress configuration files (yes, they use WordPress) including hashed user credentials for the backend login
- Database passwords for production databases
- Log files
- A lot of PHP source code (who could have guessed?!)
- much more…
While only eBay Japan was affected, I’d be surprised if there isn’t significant portions of shared code among all of eBay’s regional sites. To eBay’s credit, the problem was fixed within 12 hours of Wind reporting it to the company.
Still, that’s quite the error to make!