Programming credential that gave access to Shopify repos wasn’t abused, audit reveals
Novice bug bounty hunter Augusto Zanellato has earned a $50,000 payday after discovering a GitHub access token that gave access to Shopify repos.
The security researcher hit upon the issue while reviewing a public macOS app. Although Zanellato didn’t realize it at the time, the Electron-based app was developed by a Shopify employee.
Hidden within a .env file was a GitHub token which gave access to both public and private repos and admin privileges, potentially allowing a less ethically-minded individual to tamper with repositories and even plant backdoors.
Zanellato reported the issue to Shopify via HackerOne, which later confirmed it was the program’s very first payout.
The e-commerce technology supplier confirmed the issue and revoked the token before carrying out an audit that confirmed no unauthorized activity had occurred – allaying potential backdoor fears.
Zanellato told The Daily Swig that his discovery offered lessons for both software developers and bug bounty hunters.
“I think the most important lesson to be learned here for developers is to triple check what you are actually bundling in your release builds,” Zanellato said. “Hackers on the other hand should always check what a token they found provides access to.”
Zanellato concluded: “If I haven’t checked it manually with the GitHub API, I would have never discovered that the guy developing that application was a Shopify employee with read/write access to all the repositories, so I wouldn’t have ever found that issue.”
The Daily Swig has approached Shopify for comment. We’ll update this story as and when more information comes to hand.