$50,000 Shopify access to source code via leaking GitHub token – Hackerone bug bounty
Subscribe to Bug Bounty Reports Discussed podcast:
on Spotify: https://open.spotify.com/show/6tLoJ5foOoZPPELwrHPBO4
on Apple Podcasts: https://podcasts.apple.com/us/podcast/bug-bounty-reports-discussed/id1583400215?uo=4
Google Podcasts: https://podcasts.google.com/feed/aHR0cHM6Ly93d3cuc3ByZWFrZXIuY29tL3Nob3cvNTA3Mzc4MS9lcGlzb2Rlcy9mZWVk
✉️ Sign up for the mailing list ✉️
https://mailing.bugbountyexplained.com/
? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215
Report:
https://hackerone.com/reports/1087489
Reporter’s media:
https://twitter.com/auguzanellato
https://hackerone.com/augustozanellato?type=user
https://github.com/augustozanellato
Follow me on twitter:
https://twitter.com/gregxsunday
Timestamps:
00:00 Intro
00:28 packaging Electron
01:55 What is the .asar file?
03:21 What is the .env file?
04:27 How to check the GitHub API key?
05:22 How to exploit leaked GitHub API key?
05:50 How to check for this vulnerability?
Add comment