My write-up’s, Discoveries & Open Source Contributions

Github Organization Takeover By Claiming Owner Invitation

Posted on — Jan 7, 2021


Github Public courtesy - https://bounty.github.com/researchers/Abss0x7tbh.html

A malicious user could leverage 3 things to takeover a Github Organization :

This bug was reported on Nov 17,2017 and was one of my very first bugs.

The Invitation feature

Through github.com one can create an organization within their personal account and invite team members. I was hard on checking for any account privilege escalations here.

So whilst surfing through github.com, i created an organization and started testing. I noticed that only the team maintainer or the owner can invite people to the organization. When sending the invite, the invitee could either be a github user or someone who is new to github.

If the user is new to github then the invitation has to be sent via their email only. If they are already a github user we have an option to choose their username and then send the invitation.

Invite Via email

As seen below, we can also chose the privilege of the invitee and send the invitation. The owner has complete control over the organization.

Inviting owner

With the invite sent, i intuitively created a new github account with the invitee email instead of the basic email invitation > account creation + accepting invitation.

I noticed that at the github.com/org_name page, i had my invitation displayed.

Web Invitation

Well this was normal as github does display invitations as such. The next thing that hit me was that i forgot the email verification part whilst creating the above account. So this meant I can be someone impersonating this invitee.

As I hadn’t verified my email yet the invitation could just be a client-end display notification and not a legit endpoint with the invitation token?

Well that wasn’t the case! I was able to accept the invitation and join the org as the new owner!

Accept Invitation Joined Org


It was time to file the report by first creating a scenario.

Here’s what would happen :

I was able to find a couple of similar bugs henceforth.


Bug reported - Nov 8th 2017

Bug Resolved/Bounty/Swag - $5000 - Nov 16th 2017


Share on: