A bug bounty hunter has earned $55,000 for reporting this exploit and a separate set of RCE flaws

GitHub Gist: Account takeover vulnerability patched in code-sharing web service

The GitHub security team has patched an account takeover vulnerability in the GitHub Gist code-sharing service that earned its finder a $10,000 reward.

GitHub Gist enables developers to instantly share snippets of code through either public or private repositories.

On October 19, developer and bug bounty hunter William “vakzz” Bowling released a GitHub security advisory – one of three – that disclosed a severe bug exposing individual ‘gists’ due to open redirect errors.

Speaking to The Daily Swig this week, Bowling said that as he works with Ruby on Rails in his day job, he was familiar with GitHub and its use of Rails to “make it a bit easier to get started”.

“Their bounty program has very generous rewards and have always been really responsive, and since it had been over a year since I’d last looked, I thought it was time to try again,” Bowling commented.

Catch the Gist

The open redirect issue was caused by url_for, which is used to generate links to controllers on the domain.

Extra parameters are apprehended to the URL as query strings, but the implementation of this script resulted in the discovery of controllable arguments, a low-severity reflected cross-site scripting (XSS) problem – albeit blocked by GitHub’s Content Security Policy – and a way to redirect queries by abusing script_name.

After discovering the open redirect and with assistance from bug bounty hunter Ian “corb3nik” Bouchard, Bowling examined the impact of the vulnerability on built-in OAuth tokens.

RECOMMENDED HTML-to-PDF converters open to denial-of-service, SSRF, directory traversal attacks

An attacker would only need the browser_session_id and code as client_id is public, and by adding script_name="example" to a route, he was redirected to resources that should be private.

However, it should be noted that as GitHub and Gist use different session tokens, it was only access to Gist that was granted.

“The Gist bug required the victim to click on a link or have a page redirect to it, but after that there was no other interaction required,” Bowling told us.

“It would give an attacker the ability to log into gist.github.com as the victim with full access to their public and secret gists. So, it would depend on what the victim had stored, but generally secret gists are secret for a reason and you don’t want unauthorized people seeing them.”

Multiple issues triaged

The bug bounty hunter reported the open redirect to GitHub Security on July 26, following up with the Gist account takeover exploit on the same day.

The security team triaged the submission and applied a hotfix by July 29, patching the issue on the github.com domain. A $10,000 bug bounty was awarded on October 15.

Bowling also disclosed two separate GitHub security issues this month. On October 18, the bug bounty hunter published a technical advisory detailing an “almost” remote code execution (RCE) exploit via git option injection.

Read more of the latest hacking news

Based on his previous discovery of a file truncation and git command injection security flaw, Bowling found an underlying issue that allowed attackers to inject a malicious argument into a Git sub-command on GitHub Enterprise Server.

While not actively exploitable, the report earned Bowling $20,000 through the GitHub security bug bounty program.

The bug bounty hunter also reported CVE-2020-10518, an RCE exploit in GitHub Enterprise Server that could be triggered through the GitHub Pages service. The vulnerability, now patched, earned him $20,000 and a $5,000 bonus.

“It’s been great to work with researchers like William to help GitHub find and fix vulnerabilities,” commented Greg Ose, director of application security engineering at GitHub.

“William’s findings show their great intuition around security research, and engaging researchers like them is the reason why we continue to see value in our bug bounty program.”

YOU MIGHT ALSO LIKE Discord desktop app vulnerable to RCE via chained exploit