Popular e-commerce platform Shopify had a simple yet serious vulnerability that could have devastating results. The vulnerability existed due to an exposed GitHub access Token that subsequently risked all Shopify repos.
Shopify Vulnerability Exposed GitHub Access Token
Bug bounty hunter, Augusto Zanellato, noticed a Shopify vulnerability due to an exposed GitHub access token.
Specifically, he found the exposed GitHub token in a .env file while testing a public macOS Electron-based app.
Eventually, exploiting this token could allow access to all public and private Shopify repositories. In fact, this unauthorized access could also allow an adversary to meddle with the repositories and plant backdoors.
As Shopify described further, this token had read/write access to Shopify repos. At that time, Zanellato didn’t know that a Shopify employee had developed the app. However, dissecting the app and the subsequent exposed GitHub Personal Access Token (PAT) made him realize it.
Bug Fixed With A $50K Bounty For The Hacker
Upon discovering the bug, the bug bounty hunter reported the matter to Shopify via its HackerOne bug bounty program. After the initial bug report earlier this year, the Shopify team worked on developing a fix.
Consequently, the vendors deployed a patch by revoking the GitHub PAT. Nonetheless, given the severe impact of the flaw, they have labeled the bug as “critical” with a severity score of 10.0.
Also, the novice bug bounty hunter earned a hefty bounty of $50,000 from Shopify for reporting this flaw.
While the bug has received the fix, Zanellato advises all software developers to check their release builds thoroughly. As mentioned in his tweet,
I think the most important lesson to be learned here for developers is to triple check what you are actually bundling in your release builds.”
Moreover, he advises the hackers to analyze access tokens whenever they come across one.
Hackers on the other hand should always check what a token they found provides access to. If I haven’t checked it manually with the GitHub API I would have never discovered that the guy developing that application was a Shopify employee with r/w access to all the repositories, so I wouldn’t have ever found that issue.
Let us know your thoughts in the comments.