When you create a new Git application on WebFaction's control panel, a .htpasswd file is created with world-readable permissions. This means that anyone can access your private repositories by browsing to http://domain.com/path/to/git/.htpasswd, which contains a username and password-hash. (First the hash needs to be cracked, but that is easily done.)
To fix this:
Until one of those solutions can be implemented, I recommend updating the docs at http://docs.webfaction.com/software/git.html so that users can secure their repositories themselves.
I've posted a tad more information (and a line-by-line guide to securing your repositories) on my blog.
asked Jan 11 '11 at 13:51
This is not supposed to happen. I just checked this on my own account and can verify that it is not the case,
Also when I visited http://domain.com/.htaccess I was prompted with an auth, so it is not world readable. Could you please submit a support ticket so we can see why your account did this?
answered Jan 11 '11 at 15:40