back to article Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos

Shopify has forked out $50,000 (£36,150) in a bug bounty payment to computer science student Augusto Zanellato following the discovery of a publicly available access token which gave world+dog read-and-write access to the company's source code repositories. Zanellato uncovered the vulnerability while investigating a third- …

  1. Richard 12 Silver badge
    Holmes

    Separate accounts is the only way

    Microsoft, Apple, Google, Amazon and Facebook don't want people to do that and in some cases ban it, but it is the only way to have decent security.

    A work account and a personal account, and ne'er the twain shall meet.

  2. flibble

    Really a large flaw in github

    I think anyone that has authorised external services to access GitHub one way or another has run into this issue if they're paying attention. I've had to create secondary GitHub accounts (with more limit permissions) multiple times to be able to generate tokens with sufficiently limited privileges (or at least not massively over reaching permissions), and having that many extra GitHub accounts hanging around creates other potential problems.

    It's something GitHub really need to address. There are a lot of tokens out there, it's pure luck that there haven't been more incidents.

  3. DevOpsTimothyC

    It's something GitHub really need to address. There are a lot of tokens out there, it's pure luck that there haven't been more incidents.

    It's really easy to address in GH. Require your dev's to access GH via corporate SSO and not via their personal logins.

    Granted it will annoy alot of developers having to auth to github via their org rather than with personal credentials, but it's not GH's fault that many org's allow access via accounts they do not control and have not locked down

  4. Pascal Monett Silver badge
    Mushroom

    "he had push and pull access to all the private Shopify repositories"

    And he inculded that access in the code he made publicly available.

    He should be banned from posting to GitHub permanently.

    1. yetanotheraoc Silver badge
      Go

      Security is so inconvenient

      Now that his token is revoked, did his unnamed macOS application stop working? Of course the easy fix would be to update the environment file with a new working token.

    2. Michael Wojcik Silver badge

      Re: "he had push and pull access to all the private Shopify repositories"

      This happens all the time.

  5. elsergiovolador Silver badge

    Generosity

    Was it really generous though given what could have happened if the token was in the wrong hands?

    They had $1,541.5 million of profit in 2020. The pay out equates to about 0.003% of that amount.

    Surely they could add one or two zeroes.

    Also why would you include a token in your app at all?

    1. This post has been deleted by its author

    2. Dave314159ggggdffsdds Silver badge

      Re: Generosity

      50k is still a lot of money. I bet it came with 'and give us a call when you finish studying, please', too.

      I've stopped a major bank from making a much bigger mistake, and all the compensation I got for it was via the financial ombudsman for the screw-up as far as it affected me.

      50k for 'you left your keys in the door' seems OK to me.

      1. elsergiovolador Silver badge

        Re: Generosity

        Yes it is a level of a year's worth salary, but I think it is a wrong way to look at it.

        These kind of companies amass billions because of embedding these slogans like that they pay market rates, other people make less and other manipulative stuff.

        The pay in those companies is not related in any way to the value workers produce. The question I would have, if the "key" found itself in wrong hands, what % that $50k of potential losses would make?

        I'd say it's a tiny %.

        It's interesting how IT people devalue their work.

      2. teebie

        Re: Generosity

        If the token for nefarious purposes, it could well do more than 50k of damages, but earn less than 50k for the attacker, so generosity seems smart here.

        I'm not sure about "give us a call when you finish studying" - if they said that then why is Zanellato cunningly slipping bits of their CV into interviews?

        1. Dave314159ggggdffsdds Silver badge

          Re: Generosity

          "then why is Zanellato cunningly slipping bits of their CV into interviews?"

          Eggs, baskets, etc.

      3. TeeCee Gold badge

        Re: Generosity

        That's: "you left your keys in the door and oh, look, the keys to your safe deposit box, the back door to your office and your new Bentley are on there too.".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like