>>> Security Report: Private Feed Through a Public Read Access Token

>>> Reported: January 28, 2022 10:18pm +0530

>>> Description: During our security testing of the application hubs.mozilla.com as part of Mozilla's bug bounty program, we identified a vulnerability related to the access control mechanism in GitHub's API. Specifically, we were able to access private feed data through a public read access token. With this token, we were able to fetch the API endpoint (https://api.github.com/feeds) and receive feeds of both private user and organization data. To reproduce this issue, we followed these steps: 1. Created a public access token with no specific permissions. 2. Sent a curl request with the token to the GitHub API endpoint: curl https://api.github.com/feeds -H "Authorization: token ghp_{your_token}". 3. Received a JSON response containing 2-3 URLs, depending on the number of organizations the user belongs to. 4. The URLs provided access to private data, including internal pull requests, which was not intended. This bypass of OAuth permissions represents a significant security risk for GitHub users and their organizations, as private data could be accessed without proper authorization. The feeds data exposed internal pull request data of the organizations the user belonged to. We immediately reported this vulnerability to GitHub's security team and worked with them to remediate the issue. We were awarded a bounty for our responsible disclosure of this vulnerability.

As always, we remain committed to identifying and reporting vulnerabilities in software and web applications to help keep our clients' data safe and secure.