This video is an explanation of $50,000 vulnerability in Shopify bug bounty program that allowed push and pull access to all Shopify repositories on GitHub. It was achieved by leaking GitHub API Personal Access Token by one of Shopify employees. The bug was reported on Hackerone by Augusto Zanellato to Shopify bug bounty program. The token has been quickly revoked after the submission and the audit confirmed that no unauthorized activity had occurred.

Subscribe to Bug Bounty Reports Discussed podcast:
on Spotify: https://open.spotify.com/show/6tLoJ5foOoZPPELwrHPBO4
on Apple Podcasts: https://podcasts.apple.com/us/podcast/bug-bounty-reports-discussed/id1583400215?uo=4
Google Podcasts: https://podcasts.google.com/feed/aHR0cHM6Ly93d3cuc3ByZWFrZXIuY29tL3Nob3cvNTA3Mzc4MS9lcGlzb2Rlcy9mZWVk

✉️ Sign up for the mailing list ✉️
https://mailing.bugbountyexplained.com/

? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215



Report:
https://hackerone.com/reports/1087489

Reporter’s media:
https://twitter.com/auguzanellato
https://hackerone.com/augustozanellato?type=user
https://github.com/augustozanellato

Follow me on twitter:
https://twitter.com/gregxsunday

Timestamps:

00:00 Intro
00:28 packaging Electron
01:55 What is the .asar file?
03:21 What is the .env file?
04:27 How to check the GitHub API key?
05:22 How to exploit leaked GitHub API key?
05:50 How to check for this vulnerability?

Add comment

Your email address will not be published. Required fields are marked *