Select An AI Action To Trigger Against This Article

$50,000 Bounty: GitHub Access Token

How a hidden token in a desktop app could have compromised one of the world’s biggest e-commerce platforms

Introduction

Imagine stumbling across a GitHub token that gives write access to a company’s private repositories. That’s not just a security bug it’s a potential supply chain disaster.

That’s exactly what security researcher Augustozanellato found when reverse engineering a MacOS desktop application made by a Shopify employee. His discovery earned him a massive $50,000 bounty from Shopify’s bug bounty program.

Let’s break down what happened how he found it why it’s so critical and how YOU can find similar bugs.

The Vulnerability

Where was the bug?

  • Inside a publicly available MacOS desktop app (built using Electron framework).
  • Buried inside the app’s files was a leftover .env file containing environment variables.
  • One of these variables was GH_TOKEN — a GitHub Personal Access Token (PAT) issued to a Shopify employee.

This token had

  • Read access to private Shopify GitHub repositories
  • Write access (push permission)
Back
Run Some AI Magic On Article

$50,000 Bounty: GitHub Access Token | by Monika sharma | May, 2025 | InfoSec Write-ups

Click on the Run Some AI Magic button and choose an AI action to run on this article