Bugbounty

Summary Shortly after Hugo Vincent of Synactiv published his blog post on the Dependabot actor confusion technique, I set out to identify interesting repositories vulnerable to the this attack technique. One repository I quickly found was that of the Release Drafter reusable GitHub Action. Anyone with a GitHub account could have used a pull request with the Dependabot actor confusion technique to obtain a GITHUB_TOKEN that could modify the tags associated with the action. This means that ALL downstream users of this action using it via tags (which are mutable!) instead of SHA would be vulnerable to a supply chain attack. ...

Overview In just over a week from now, I’ll be speaking at Black Hat 2024 and DEF CON 32 along with my co-presenter John Stawinski. Our talks will focus on attacks against self-hosted runners on public repositories, illustrated by real world case studies involving companies you’ve definitely heard of. Our research campaign leading to these talks exceeded every expectation that I had when we started it. One of the bug bounties was for a whopping $100,000! ...

I’ve been quite busy with hacking in my spare time, and most of my time has been dedicated to hacking, and most of my writing time has been allocated to reports. Now that I’m allowed to talk about some of my most impressive hacks I plan to post detailed writeups here so that the security community can be on the lookout for these kinds of attacks. The most significant vulnerability I reported was one that provided a path to backdoor the GitHub Actions runner images used for hosted builds on GitHub.com. After a long wait, GitHub resolved the report at the Critical severity and paid out a $20,000 bounty. ...