An ethical hacker, who wishes to remain anonymous, has publically detailed how they earned a $50,000 bounty from Shopify for discovering a vulnerability that exposed the ecommerce giant’s GitHub access token.
The individual was examining an Electron application created by a Shopify employee when they found an .env file, which contained the GitHub token.
Using the curl command, they were able to use the token to access the GitHub API, from where they were able to view the Shopify organisation’s public and private repositories.
Although the user didn’t have admin rights, they were still able to view code, commit changes and create new repositories, which could have potentially resulted in code leaks.
Shopify rewards bug bounty hunters with between 5,000and50,000 for reporting vulnerabilities, depending on their severity.