Security News > 2020 > April > ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online
An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password.
"The irony of a EU-funded website about GDPR having security issues isn't lost on us," mused the security consultancy.
GDPR.eu is run by Proton Technologies AG, better known as the Swiss corporation behind email service ProtonMail, which prides itself on being leader of the pack for all things security and privacy.
Within the /.git/ repo were the keys to GDPR.eu's WordPress kingdom: a full and unabridged copy of wp-config.
He said: "We were informed of this issue on Friday, the 24th of April, and a fix was deployed shortly afterwards. gdpr.eu is hosted on independent third party infrastructure, does not contain any user data, and the information in the exposed git folder cannot lead to the gdpr.eu being defaced because database access is limited to internal only. Nevertheless this is a legitimate finding under our bug bounty program. It's important to note that no personal information is stored at gdpr.eu and at no point was any sensitive data at risk."