Github Token Leaked publicly for
State Resolved (Closed)
Disclosed publicly 2018-10-08T12:57:23.028Z
Reported To
Weakness Cleartext Storage of Sensitive Information
Bounty $15,000

submitted a report to Snapchat .

Description :

GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 7 hours Ago by user Yuanchen Bai - Software Engineer - Snap Inc

Issue & POC :

You can find the leak in this link :

import os
import requests
import sys
pull_number = 76793
pull_url = "" + str(pull_number)
payload = {}
payload["Authorization"] = "token " + "9db9ca3440e535d90408a32a9c03d415979da910"
print payload
r = requests.get(pull_url,


I didn't try anything with the token, and dont know what access it has, and i know that in order to login to you need to have an email @snap but still i though it would be a good idea to share this finding with you in case it can be used in a way that i dont know.

Best Regards


  • 0 attachments:
cgrayson Activities::BugTriaged
Hey @th3g3nt3lman - thank you for the report. We confirmed that the token you discovered was valid and the repository has been taken down. We're going to assess the scope of impact and will let you know about the bounty shortly!

th3g3nt3lman Activities::Comment
Thanks @cgrayson for quick response, i really didn't want to highlight this as high or critical as i prefer always in such findings not to escalate or try something that might impact target, so its up to you to asses the risk. Very happy to help securing snapchat

th3g3nt3lman Activities::Comment
Dear @cgrayson , There is something i found that is not related to your BB program but it might affect some users, i wanted to share it with you just as an information , maybe you can speak to google and take it over the net. There is someone hosting a suspicious website having "Snapchat inc" in the certificate, as you can see below : {F335558} the domain name is "" which is hosting a suspicious javascript code exactly the same as the one used for Blind XSS attacks, when a user opens this site all his cookies, details will be stolen by the one managing this site. Maybe you wont be able to take any actions regarding this, and i don't know google policy regarding this but i just wanted to share this with you. Best Regards,

cgrayson Activities::ReportSeverityUpdated


th3g3nt3lman Activities::Comment
Thats the best day in my life @cgrayson @snapchat , you don't know how much this bounty can help me :) thanks for your generosity. Thank you alot guys

th3g3nt3lman Activities::Comment
Dear @cgrayson, I know its not my right to ask, just out of curiosity, what was the impact of the above if it reached bad hands ? Doesnt the google authentication somehow protect the access to this site even with the token leaked ? I was thinking for the last week in this and would appriciate your answer if this is allowed just to learn :) Best Regards,

divya Activities::BugResolved
@th3g3nt3lman The web interface needed a valid snap account, but not the API. Thanks again for your report!

th3g3nt3lman Activities::Comment
Thanks guys, it was nice working with you, can we have a limited disclosure for this without exposing the code ? Just like researcher found a working token that affected one of our servers or whatever you find suitable, maybe only the title of the report. I like to share with other researchers so they can learn specially the new ones. Best Regards,

th3g3nt3lman Activities::AgreedOnGoingPublic