Home Cyber Crime Stray GitHub access token from Shopify earns novice bug bounty hunter $50k

Stray GitHub access token from Shopify earns novice bug bounty hunter $50k


John Leyden

27 July 2021 at 16:36 UTC

Up to date: 27 July 2021 at 16:44 UTC

Programming credential that gave entry to Shopify repos wasn’t abused, audit reveals

A stray GitHub access token from Shopify was identified through a bug bounty

Novice bug bounty hunter Augusto Zenellato has earned a $50,000 payday after discovering a GitHub entry token that gave entry to Shopify repos.

The safety researcher stumble on the difficulty whereas reviewing a public macOS app. Though Zenellato didn’t notice it on the time, the Electron-based app was developed by a Shopify worker.

Hidden inside a .env file was a GitHub token which gave entry to each private and non-private repos and admin privileges, probably permitting a much less ethically-minded particular person to tamper with repositories and even plant backdoors.

Read more of the latest bug bounty news

Zenellato reported the difficulty to Shopify through HackerOne, which later confirmed it was this system’s very first payout.

The e-commerce know-how provider confirmed the difficulty and revoked the token earlier than finishing up an audit that confirmed no unauthorized exercise had occurred – allaying potential backdoor fears.

Classes realized

A write-up of the discover might be present in a blog post by HackerOne. The researcher’s response on social media and the discussions it sparked might be discovered here.

Zenellato instructed The Each day Swig that his discovery provided classes for each software program builders and bug bounty hunters.

“I believe a very powerful lesson to be realized right here for builders is to triple examine what you’re really bundling in your launch builds,” Zenellato mentioned. “Hackers alternatively ought to all the time examine what a token they discovered supplies entry to.”

Zenellato concluded: “If I haven’t checked it manually with the GitHub API, I’d have by no means found that the man creating that utility was a Shopify worker with learn/write entry to all of the repositories, so I wouldn’t have ever discovered that situation.”

The Each day Swig has approached Shopify for remark. We’ll replace this story as and when extra data comes at hand.

RELATED Loyalty management tech firm Antavo launches bug bounty program

Source link