Gabriel Nugh, in 30 minutes I have seen 35 people expose their .git folder using tailscale funnel
and that was a quick poc, I think I'm only watching one of the CT firehoses
in reality it's probably worse
@danderson , if still have contacts there
I think funnel is a really dangerous footgun which should come with a big warning that whatever you expose will get scanned from the internet immediately
I recall there was a banner in the documentation, but it should be in BIG RED letters when running it
I intentionally only did HEAD requests, but when I exposed my little test server I immediately saw GET requests for .git/config
I assume next step is that they come for .git/HEAD and then pull down everything...