A 281-character post on Twitter has revealed a concerning finding by a Bug Bounty Program (BBP) participant, who appears to have located a live GitHub access token in an API endpoint, which allowed them full access to a target organisation’s private repositories.
The user was able to clone two private repositories after authenticating with the user and token details found on GitHub.
The discovery was confirmed as a P1 bug and was fixed shortly after being reported to the vulnerability disclosure programme (VDP).
Key lessons from the incident include asking AI assistants for help in such situations, and thinking about the maximum safe impact that can be achieved without causing damage.