Github Token Leaked publicly for https://github.sc-corp.net
State Resolved (Closed)
Disclosed publicly 2018-10-08T12:57:23.028Z
Reported To
Weakness Cleartext Storage of Sensitive Information
Bounty $15,000
Collapse


Timeline
submitted a report to Snapchat .
2018-08-17T09:49:01.636Z

Description :

GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 7 hours Ago by user Yuanchen Bai - Software Engineer - Snap Inc

Issue & POC :

You can find the leak in this link :
https://github.com/baiyuanchen/leetcode/blob/0eec6434940a01e490d5eecea9baf4778836c54e/TopicMatch.py


import os
import requests
import sys
pull_number = 76793
pull_url = "https://github.sc-corp.net/api/v3/repos/Snapchat/android/pulls/" + str(pull_number)
payload = {}
payload["Authorization"] = "token " + "9db9ca3440e535d90408a32a9c03d415979da910"
print payload
r = requests.get(pull_url,

Impact

I didn't try anything with the token, and dont know what access it has, and i know that in order to login to https://github.sc-corp.net you need to have an email @snap but still i though it would be a good idea to share this finding with you in case it can be used in a way that i dont know.

Best Regards

Regards,
Frans

  • 0 attachments:
cgrayson Activities::BugTriaged
2018-08-17T16:54:51.129Z
Hey @th3g3nt3lman - thank you for the report. We confirmed that the token you discovered was valid and the repository has been taken down. We're going to assess the scope of impact and will let you know about the bounty shortly!


th3g3nt3lman Activities::Comment
2018-08-17T16:57:49.751Z
Thanks @cgrayson for quick response, i really didn't want to highlight this as high or critical as i prefer always in such findings not to escalate or try something that might impact target, so its up to you to asses the risk. Very happy to help securing snapchat


th3g3nt3lman Activities::Comment
2018-08-20T09:35:34.009Z
Dear @cgrayson , There is something i found that is not related to your BB program but it might affect some users, i wanted to share it with you just as an information , maybe you can speak to google and take it over the net. There is someone hosting a suspicious website having "Snapchat inc" in the certificate, as you can see below : {F335558} the domain name is "sn.ht" which is hosting a suspicious javascript code exactly the same as the one used for Blind XSS attacks, when a user opens this site all his cookies, details will be stolen by the one managing this site. Maybe you wont be able to take any actions regarding this, and i don't know google policy regarding this but i just wanted to share this with you. Best Regards,


cgrayson Activities::ReportSeverityUpdated
2018-08-20T17:11:26.620Z


Activities::BountyAwarded
2018-08-20T18:02:49.679Z


th3g3nt3lman Activities::Comment
2018-08-20T18:06:29.657Z
Thats the best day in my life @cgrayson @snapchat , you don't know how much this bounty can help me :) thanks for your generosity. Thank you alot guys


th3g3nt3lman Activities::Comment
2018-08-26T21:59:02.184Z
Dear @cgrayson, I know its not my right to ask, just out of curiosity, what was the impact of the above if it reached bad hands ? Doesnt the google authentication somehow protect the access to this site even with the token leaked ? I was thinking for the last week in this and would appriciate your answer if this is allowed just to learn :) Best Regards,


divya Activities::BugResolved
2018-09-08T00:52:38.333Z
@th3g3nt3lman The web interface needed a valid snap account, but not the API. Thanks again for your report!


th3g3nt3lman Activities::Comment
2018-09-08T12:56:59.287Z
Thanks guys, it was nice working with you, can we have a limited disclosure for this without exposing the code ? Just like researcher found a working token that affected one of our servers or whatever you find suitable, maybe only the title of the report. I like to share with other researchers so they can learn specially the new ones. Best Regards,


th3g3nt3lman Activities::AgreedOnGoingPublic
2018-09-08T12:57:18.741Z


Activities::ReportBecamePublic
2018-10-08T12:57:23.055Z