$50,000 Bounty: GitHub Access Token | by Monika sharma | May, 2025 | InfoSec Write-ups

A security researcher discovered a GitHub access token within a Shopify desktop application, leading to a $50,000 bug bounty and highlighting a critical supply chain vulnerability.
AI Summary available — skim the key points instantly. Show AI Generated Summary
Show AI Generated Summary

$50,000 Bounty: GitHub Access Token

How a hidden token in a desktop app could have compromised one of the world’s biggest e-commerce platforms

Introduction

Imagine stumbling across a GitHub token that gives write access to a company’s private repositories. That’s not just a security bug it’s a potential supply chain disaster.

That’s exactly what security researcher Augustozanellato found when reverse engineering a MacOS desktop application made by a Shopify employee. His discovery earned him a massive $50,000 bounty from Shopify’s bug bounty program.

Let’s break down what happened how he found it why it’s so critical and how YOU can find similar bugs.

The Vulnerability

Where was the bug?

  • Inside a publicly available MacOS desktop app (built using Electron framework).
  • Buried inside the app’s files was a leftover .env file containing environment variables.
  • One of these variables was GH_TOKEN — a GitHub Personal Access Token (PAT) issued to a Shopify employee.

This token had

  • Read access to private Shopify GitHub repositories
  • Write access (push permission)

Was this article displayed correctly? Not happy with what you see?

See Archived Versions Request Manual Review
Category: Security
Tags: GitHub Bug Bounty Security Vulnerability Shopify Supply Chain
Tabs Reminder: Tabs piling up in your browser? Set a reminder for them, close them and get notified at the right time.

If you often open multiple tabs and struggle to keep track of them, Tabs Reminder is the solution you need. Tabs Reminder lets you set reminders for tabs so you can close them and get notified about them later. Never lose track of important tabs again with Tabs Reminder!

Try our Chrome extension today!

Add to Chrome

Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more

Twitter/X
WhatsApp
Facebook
Save articles to reading lists
and access them on any device
Sign In With Google

Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more

Twitter/X
WhatsApp
Facebook
Save articles to reading lists
and access them on any device
Sign In With Google