Augusto Zanellato is a computer science student, and a first timer who managed to win the maximum payout through HackerOne programme after he exposed a major Shopify vulnerability after following the discovery of a publicly available access token which gave world+dog read-and-write access to the company’s source code repositories.
This is esoteric stuff for most of our readers, but the gist of the story is that Augusto Zanellato scored $50,000 while uncovering the vulnerability in Shopify’s platform, as he was investigating a third-party Electron-based macOS application created by a Shopify developer.
The name of the developer was not revealed, but we know it’s a desktop client for a popular video conferencing platform which doesn’t provide an official one.
Here’s a quote from the geek himself:
“After finding the GitHub token inside the application I tried to use it against the GitHub API to see what token it was, whom it belongs to, what privileges it had etc. I found out that the user in question was a member of the Shopify organisation and that he had push and pull access to all the private Shopify repositories.”
“It wasn’t really Shopify’s fault here because for what I know GitHub doesn’t (at least yet) support generating an access token that grants access to personal repositories but not to organization-owned ones. There’s something similar to that because GitHub applications can be granted access only to user repositories without granting organization access, but no similar things for tokens.”
Senior application security engineer at Shopify reported that:
“We addressed this issue immediately after receiving this report by revoking the GitHub Personal Access Token. However, we wanted to wait to resolve this issue until we felt we had implemented a long-term mitigation that reduced the likelihood that it would reoccur.”
In laymen’s terms, no pixels were harmed in the process and no data was stolen by evil hackers.
Thank you, Zanellato!