ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online

An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password.

The vulnerability in question allowed the entire contents of the website's /.git/ repository to be cloned, as Pen Test Partners explained in a blog post about what it found on advice site GDPR.eu.

"The irony of a EU-funded website about GDPR having security issues isn't lost on us," mused the security consultancy.

GDPR.eu is run by Proton Technologies AG, better known as the Swiss corporation behind email service ProtonMail, which prides itself on being leader of the pack for all things security and privacy. While not an official site as such, it bears a prominent header that reads: "This project is co-funded by the Horizon 2020 Framework Programme of the European Union," along with an EU flag graphic.

Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard

READ MORE

Within the /.git/ repo were the keys to GDPR.eu's WordPress kingdom: a full and unabridged copy of wp-config.php. In a WordPress installation, wp-config.php is the critical file containing a plaintext copy of the username and password for the SQL database powering the entire site. Someone malicious with those creds could wipe the site, rewrite its contents or deface it.

"This is an internal system, so it wouldn't be a trivial matter to compromise it externally unless the password is re-used elsewhere," noted PTP, in fairness to Proton Technologies.

A spokesman for Proton Technologies told The Register this was a "legitimate finding" while agreeing with the level of seriousness.

He said: "We were informed of this issue on Friday, the 24th of April, and a fix was deployed shortly afterwards. gdpr.eu is hosted on independent third party infrastructure, does not contain any user data, and the information in the exposed git folder cannot lead to the gdpr.eu being defaced because database access is limited to internal only. Nevertheless this is a legitimate finding under our bug bounty program. It's important to note that no personal information is stored at gdpr.eu and at no point was any sensitive data at risk."

Should you have carelessly uploaded your /.git/ repository alongside your WordPress website, treat any creds in it – not just those in wp-config.php – as compromised and change them immediately, advised PTP. Such creds could include, for example, the admin username and password for the WordPress installation. ®