Github access token exposure

Program: shopify Bug Type: sensitive data exposure Bounty: 50000 Date: 2021-01-26

sensitive-data-exposure cryptographic-failure misconfiguration

Summary

A researcher on testing desktop macOS application found a env file which wasn't used by the application On further investigation, the .env file contained a github PAT owned by a shopify employee and has Read-Write access on Shopify production github repository.

References

https://hackerone.com/reports/1087489
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens

← Back to Reports