Cracking Github leaderboard

As you might know GitHub is a Git repository web-based hosting service which offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding own features.

later this  year Github started bug bounty, earlier they used to send swags to bug reporters plus adding their name on Github security page.

Cracking bug bounty for main domain is really hard because of competition all around. And Like always, I will repeat your social friend’s newsfeed matters a lot in  bug bounty .

I remember one of my facebook friend’s post “Easel.io is acquired by github “.

I was like

Although CJ does not effect the much functionality of the Easel but as a bug hunter it is my responsibility to report things. It depends upon vendor they accept the bug or not.

Well, they had just acquired the Easel and they considered CJ , as a result I got listed on their “Original Gangster” list and with some awesome swags .

 

well , CJ was still working for me :P.

Few days later I got bored . So thought to dig Easel.io again (that was my private swag mine). This time tamper data worked for me. There were CSRF tokens all over the application but those tokens were not getting validated on server side. This time the bug was critical and can take over any account by changing email using typical CSRF attacks (sorry can’t find the POC for this in my mail). I reported CSRF without any POC , Github’s security  guys were smart enough to reproduce the CSRF. Guess what ! Another Github packet for me and this time I was on leaderboard (only Indian at that time 😛 ) with 500pts. Github created a special page for me (https://bounty.github.com/researchers/introvertmac.html).

Well that’s not the end, reported few more CSRFs(login) later this week. Easel was still my private swag mine till yesterday, they sent me this

Easel is shutting down 😦 Easel.io will be missed 😛 for sure.

All I can say  bug bounty is fun ,just  keep your eyes open .

logging off…

@umenmactech