According to a quick gevent script, >0.7% of the first 100,000 sites from Alexa’s top 1 million sites are serving their .git directories to the outside world.
A quick glance at the produced list reveals several interesting domains, including the FCC, some *chan boards, one SAAS security vendor (!), and an endless supply of .edu sites.
Why this is bad:
- Your directory structure becomes visible
- Identifying marks are available from numerous directories (e.g. logs/HEAD may contain https://user:pw@domain/ initial commit log)
With a little work it should be possible to reconstruct a repository remotely (object packs being the only hard part).
Please take one moment to fetch your-domain.com/.git/config. If it returns text, fix it up today!