Prestigious club Stade Français potentially endangered its fans for over a year after leaking its website’s source code.
Stade Français is a professional rugby union club based in Paris. Founded in 1883 and competing in France’s premier rugby league, Top 14, it has established itself as one of the most successful teams in the country, with a dedicated fan base of hundreds of thousands of followers on social media.
Cybernews recently discovered that the server hosting the official Stade Français website was leaking its source code through the publicly accessible .git directory. The website provides fans with daily news updates, upcoming matches, match reviews, ticketing services, and a merchandise shop.
Poor access control to .git directories potentially enabled threat actors to make unauthorized changes to the club’s server. If the threat actors had exploited the vulnerability, it might have posed risks to the users’ data and could have potentially resulted in the takeover of the server.
Git is a popular tool that enables tracking code changes and helps programmers to collaborate. The .git directory is the place where the metadata and object database of the projects are stored.
Client ID is left in the code that allows unauthorized threat actors to craft authorized requests to admin related endpoints Serious security risks
Unsecured access to the website’s .git directory potentially allowed anyone to partially or fully download the application’s source code. It raises concern, since threat actors might have exploited the vulnerability to deceive users into installing malicious apps.