Home 零对冲(ZeroHedge)每日HackerNews

家得宝GitHub令牌暴露一年,授予了对内部系统的访问权限。
Home Depot GitHub token exposed for a year, granted access to internal systems

原始链接: https://techcrunch.com/2025/12/12/home-depot-exposed-access-to-internal-systems-for-a-year-says-researcher/

2024年初,一名Home Depot员工意外在线暴露了一个私有访问令牌,使一名安全研究人员在近一年的时间里获得了对该公司内部系统的未经授权访问。该研究员Ben Zimmermann在GitHub上发现了该令牌,并发现它解锁了数百个私有代码仓库,包括控制订单履行和库存管理的代码仓库。 尽管Zimmermann多次尝试私下通知Home Depot——包括联系他们的CISO——但他没有收到任何回复。最终,他联系了TechCrunch,TechCrunch在上周提醒了该公司。Home Depot随后撤销了该令牌的访问权限并将其从公开视图中删除。 该公司尚未评论该令牌在其暴露期间是否被利用,或者他们是否正在调查潜在的漏洞。值得注意的是,Home Depot缺乏漏洞披露计划,这阻碍了安全研究人员负责任地报告缺陷的能力。

相关文章
原文

A security researcher said Home Depot exposed access to its internal systems for a year after one of its employees published a private access token online, likely by mistake. The researcher found the exposed token and tried to privately alert Home Depot to its security lapse but was ignored for several weeks. 

The exposure is now fixed after TechCrunch contacted company representatives last week.

Security researcher Ben Zimmermann told TechCrunch that, in early November, he found a published GitHub access token belonging to a Home Depot employee, which was exposed sometime in early 2024. 

When he tested the token, Zimmermann said that it granted access to hundreds of private Home Depot source code repositories hosted on GitHub and allowed the ability to modify their contents. 

The researcher said the keys allowed access to Home Depot’s cloud infrastructure, including its order fulfillment and inventory management systems, and code development pipelines, among other systems. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to a customer profile on GitHub’s website.

Zimmermann said he sent several emails to Home Depot but didn’t hear back. 

Nor did he get a response from Home Depot’s chief information security officer, Chris Lanzilotta, after sending a message over LinkedIn.

Zimmermann told TechCrunch that he has disclosed several similar exposures in recent months to companies, which have thanked him for his findings. 

“Home Depot is the only company that ignored me,” he said.

Given that Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program, Zimmermann contacted TechCrunch in an effort to get the exposure fixed.

When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.

We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.

联系我们 contact @ memedata.com