27 July 2021 at 16:36 UTC
Up to date: 27 July 2021 at 16:44 UTC
Programming credential that gave entry to Shopify repos wasn’t abused, audit reveals
Novice bug bounty hunter Augusto Zenellato has earned a $50,000 payday after discovering a GitHub entry token that gave entry to Shopify repos.
The safety researcher stumble on the difficulty whereas reviewing a public macOS app. Though Zenellato didn’t notice it on the time, the Electron-based app was developed by a Shopify worker.
Hidden inside a .env file was a GitHub token which gave entry to each private and non-private repos and admin privileges, probably permitting a much less ethically-minded particular person to tamper with repositories and even plant backdoors.
Zenellato reported the difficulty to Shopify through HackerOne, which later confirmed it was this system’s very first payout.
The e-commerce know-how provider confirmed the difficulty and revoked the token earlier than finishing up an audit that confirmed no unauthorized exercise had occurred – allaying potential backdoor fears.
Zenellato instructed The Each day Swig that his discovery provided classes for each software program builders and bug bounty hunters.
“I believe a very powerful lesson to be realized right here for builders is to triple examine what you’re really bundling in your launch builds,” Zenellato mentioned. “Hackers alternatively ought to all the time examine what a token they discovered supplies entry to.”
Zenellato concluded: “If I haven’t checked it manually with the GitHub API, I’d have by no means found that the man creating that utility was a Shopify worker with learn/write entry to all of the repositories, so I wouldn’t have ever discovered that situation.”
The Each day Swig has approached Shopify for remark. We’ll replace this story as and when extra data comes at hand.