This is especially good to know when you’re exfiltrating .git folders that are unprotected and publicly accessible on websites :-)
Seriously though, make sure you’re deleting .git folders from deployed websites - or at least prevent them from being accessed. In at 300+ of the 1000+ website .git folders I downloaded from random websites there were private access credentials to AWS, GitHub, OpenAI, etc.
This is especially good to know when you’re exfiltrating .git folders that are unprotected and publicly accessible on websites :-)
Seriously though, make sure you’re deleting .git folders from deployed websites - or at least prevent them from being accessed. In at 300+ of the 1000+ website .git folders I downloaded from random websites there were private access credentials to AWS, GitHub, OpenAI, etc.