"When he tested the token, Zimmermann said that it granted access to hundreds of private Home Depot source code repositories hosted on GitHub and allowed the ability to modify their contents. The researcher said the keys allowed access to Home Depot's cloud infrastructure, including its order fulfillment and inventory management systems, and code development pipelines, among other systems. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to a customer profile on GitHub's website."
"Zimmermann said he sent several emails to Home Depot but didn't hear back. Nor did he get a response from Home Depot's chief information security officer, Chris Lanzilotta, after sending a message over LinkedIn. Zimmermann told TechCrunch that he has disclosed several similar exposures in recent months to companies, which have thanked him for his findings. "Home Depot is the only company that ignored me," he said."
Security researcher Ben Zimmermann found a published GitHub access token belonging to a Home Depot employee in early November; the token had been exposed since early 2024. When tested, the token granted access to hundreds of private Home Depot source code repositories and permitted modification of their contents. The keys also allowed access to Home Depot's cloud infrastructure, including order fulfillment, inventory management systems, and development pipelines. Multiple emails and a LinkedIn message to Home Depot and its chief information security officer received no response. Home Depot lacked a public vulnerability disclosure or bug bounty program. TechCrunch contacted Home Depot; the token was removed and access fixed.
Read at TechCrunch
Unable to calculate read time
Collection
[
|
...
]