A security researcher stated House Depot uncovered entry to its inner techniques for a yr after one in every of its staff printed a non-public entry token on-line, probably by mistake. The researcher discovered the uncovered token and tried to privately alert House Depot to its security lapse, however was ignored for a number of weeks.
The publicity is now fastened after information.killnetswitch contacted firm representatives final week.
Safety researcher Ben Zimmermann informed information.killnetswitch that, in early November, he discovered a broadcast GitHub entry token belonging to a House Depot worker, which was uncovered someday in early 2024.
When he examined the token, Zimmermann stated that it granted entry to a whole lot of personal House Depot supply code repositories hosted on GitHub and allowed the power to switch their contents.
The researcher stated the keys allowed entry to House Depot’s cloud infrastructure, together with its order achievement and stock administration techniques, and code improvement pipelines, amongst different techniques. House Depot has hosted a lot of its developer and engineering infrastructure on GitHub since 2015, in line with a buyer profile on GitHub’s web site.
Zimmermann stated he despatched a number of emails to House Depot however didn’t hear again.
Nor did he get a response from House Depot’s chief data security officer, Chris Lanzilotta, after sending a message over LinkedIn.
Zimmermann informed information.killnetswitch that he has disclosed a number of related exposures in current months to corporations, which have thanked him for his findings.
“House Depot is the one firm that ignored me,” he stated.
On condition that House Depot doesn’t have a technique to report security flaws, corresponding to a vulnerability disclosure or bug bounty program, Zimmermann contacted information.killnetswitch in an effort to get the publicity fastened.
When reached by information.killnetswitch on December 5, House Depot spokesperson George Lane acknowledged receipt of our electronic mail however didn’t reply to follow-up emails asking for remark. The uncovered token is not on-line, and the researcher stated the token’s entry was revoked quickly after our outreach.
We additionally requested Lane if House Depot has the technical means, corresponding to logs, to find out if anybody else used the token in the course of the months it was left on-line to entry any of House Depot’s inner techniques. We didn’t hear again.
