A vulnerability has been found in iThemes Security backup function that may allow attackers to gain access to backup/log files.
By default, when using the "database backup on filesystem" feature, iThemes Security saves the backup files in a world-readable directory :
The .htaccess file is generated during the plugin initial setup/update, only if the wp-content/uploads/ithemes-security/backups exists (or wp-content/uploads/ithemes-security/logs). Note that it does NOT exists by default.
When running a backup, the ITSEC_Backup class creates the directory but without any .htaccess file inside. The same thing happens with log saving.
If the webserver has directory listing enabled, then anybody can download the complete database backup or view the log files.