Severe Shopify Flaw Exposed GitHub Access Token And Source Code Repositories


Computer science student Augusto Zanellato has earned a $50,000 payday following the discovery of a publicly available GitHub Personal Access Token (PAT) which gave access to the Shopify source code repositories. 

Zanellato spotted the exposed GitHub token in a .env file while reviewing a public macOS Electron-based app. The vulnerability gave access to both public and private repos and admin privileges, potentially allowing a less ethically-minded individual to tamper with repositories and even plant backdoors. Although Zanellato didn’t realize it at the time, the Electron-based app was developed by a Shopify employee. 

"After finding the GitHub token inside the application I tried to use it against the GitHub API to see what token it was, whom it belongs to, what privileges it had etc. I found out that the user in question was a member of the Shopify organization and that he had push and pull access to all the private Shopify repositories," Zanellato explained.

Upon discovering the flaw, Zanellato reported the issue to Shopify via the HackerOne bug bounty program. After the initial bug report earlier this year, the Shopify team worked on developing a fix. Consequently, the vendors deployed a patch by revoking the GitHub PAT. Nonetheless, given the severe impact of the flaw, they have labeled the bug as “critical” with a severity score of 10.0. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. Today the Shopify platform has more than 1.7 million customers across the globe – all of whom could have been impacted by the leaked token, had it been exploited. 

“I think the most important lesson to be learned here for developers is to triple check what you are actually bundling in your release builds. Hackers on the other hand should always check what a token they found provides access to,” Zanellato said. 

“If I haven’t checked it manually with the GitHub API, I would have never discovered that the guy developing that application was a Shopify employee with read/write access to all the repositories, so I wouldn’t have ever found that issue , Zanellato concluded.