$50,000 Bounty: GitHub Access Token | by Monika sharma | May, 2025 | InfoSec Write-ups


AI Summary Hide AI Generated Summary

Key Finding

A security researcher, Augustozanellato, found a GitHub Personal Access Token (PAT) with write access to private Shopify repositories within a publicly available MacOS desktop application. This vulnerability earned the researcher a $50,000 bounty from Shopify's bug bounty program.

Vulnerability Details

The vulnerability stemmed from a leftover .env file within the application's files. This file contained environment variables, one of which was the GH_TOKEN. This token granted both read and write access to Shopify's private GitHub repositories.

Impact

The discovery underscores a serious supply chain risk. Unauthorized access to the private repositories could have had devastating consequences for Shopify and its users.

Lesson Learned

The incident highlights the importance of secure coding practices, thorough code reviews, and robust security measures to prevent such vulnerabilities. Removing sensitive information like access tokens from publicly accessible applications is crucial for maintaining security and preventing data breaches.

Sign in to unlock more AI features Sign in with Google

$50,000 Bounty: GitHub Access Token

How a hidden token in a desktop app could have compromised one of the world’s biggest e-commerce platforms

Introduction

Imagine stumbling across a GitHub token that gives write access to a company’s private repositories. That’s not just a security bug it’s a potential supply chain disaster.

That’s exactly what security researcher Augustozanellato found when reverse engineering a MacOS desktop application made by a Shopify employee. His discovery earned him a massive $50,000 bounty from Shopify’s bug bounty program.

Let’s break down what happened how he found it why it’s so critical and how YOU can find similar bugs.

The Vulnerability

Where was the bug?

  • Inside a publicly available MacOS desktop app (built using Electron framework).
  • Buried inside the app’s files was a leftover .env file containing environment variables.
  • One of these variables was GH_TOKEN — a GitHub Personal Access Token (PAT) issued to a Shopify employee.

This token had

  • Read access to private Shopify GitHub repositories
  • Write access (push permission)

Was this article displayed correctly? Not happy with what you see?

Tabs Reminder: Tabs piling up in your browser? Set a reminder for them, close them and get notified at the right time.

Try our Chrome extension today!


Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more

Facebook

Save articles to reading lists
and access them on any device


Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more

Facebook

Save articles to reading lists
and access them on any device