Programming credential that gave access to Shopify repos wasn’t abused, audit reveals

A stray GitHub access token from Shopify was identified through a bug bounty

Novice bug bounty hunter Augusto Zanellato has earned a $50,000 payday after discovering a GitHub access token that gave access to Shopify repos.

The security researcher hit upon the issue while reviewing a public macOS app. Although Zanellato didn’t realize it at the time, the Electron-based app was developed by a Shopify employee.

Hidden within a .env file was a GitHub token which gave access to both public and private repos and admin privileges, potentially allowing a less ethically-minded individual to tamper with repositories and even plant backdoors.

Read more of the latest bug bounty news

Zanellato reported the issue to Shopify via HackerOne, which later confirmed it was the program’s very first payout.

The e-commerce technology supplier confirmed the issue and revoked the token before carrying out an audit that confirmed no unauthorized activity had occurred – allaying potential backdoor fears.

Lessons learned

A write-up of the find can be found in a blog post by HackerOne. The researcher’s reaction on social media and the discussions it sparked can be found here.

Zanellato told The Daily Swig that his discovery offered lessons for both software developers and bug bounty hunters.

“I think the most important lesson to be learned here for developers is to triple check what you are actually bundling in your release builds,” Zanellato said. “Hackers on the other hand should always check what a token they found provides access to.”

Zanellato concluded: “If I haven’t checked it manually with the GitHub API, I would have never discovered that the guy developing that application was a Shopify employee with read/write access to all the repositories, so I wouldn’t have ever found that issue.”

The Daily Swig has approached Shopify for comment. We’ll update this story as and when more information comes to hand.

RELATED Loyalty management tech firm Antavo launches bug bounty program