jueves, 14 de mayo de 2015

How Github added a button because of me

Hi all! This time I'm writing a little bit different post.

Last month I was browsing on Gist from Github reading a little script and I forked it. I opened Chrome and I navigated to my Gist URL, but I was logged with other account, then I decided to comment in that Gist to do some tests.

While testing I took care that me (the admin and creator of the Gist), could edit it, delete it... but I WASN'T ABLE to edit other users comments. I did not find that option neither in the Github API neither the UI.

  • I opened my proxy
  • I edited a comment did by me previously
  • I changed the ID of the comment in the request by other user comment's ID
  • I forwarded the request
Suprisingly the comment was edited, so I thought it could be a security risk (because the UI did not offer users that option), so I reported it to their Bug Bounty Program.
 Sadly I got this after a few emails from one of their engineers:

8th April, first answer from their team:
Then I was be like: "Awwwwwwwwwwwwwwwww yeaaaaaaaaaaah", but after a few emails...

6th May, final answer:
At this moment I was like: "Oh man, today is going to be a very baaaaaaaaaaaad day".

This was my Proof of Concept video which I attached to my report:

Github Bug Bounty Report from Miguel Ángel Jimeno Arce on Vimeo.



Finally I'm happy with this report and I agree with their decision.

I would like to thank their security team and specially Greg Ose.



Regards!

No hay comentarios:

Publicar un comentario

Please, leave a comment! Thank you!