A malicious user could leverage 3 things to takeover a Github Organization :
This bug was reported on Nov 17,2017 and was one of my very first bugs.
Through github.com one can create an organization within their personal account and invite team members. I was hard on checking for any account privilege escalations here.
So whilst surfing through github.com, i created an organization and started testing. I noticed that only the team maintainer or the owner can invite people to the organization. When sending the invite, the invitee could either be a github user or someone who is new to github.
If the user is new to github then the invitation has to be sent via their email only. If they are already a github user we have an option to choose their username and then send the invitation.
As seen below, we can also chose the privilege of the invitee and send the invitation. The owner has complete control over the organization.
With the invite sent, i intuitively created a new github account with the invitee email instead of the
basic email invitation > account creation + accepting invitation.
I noticed that at the
github.com/org_name page, i had my invitation displayed.
Well this was normal as github does display invitations as such. The next thing that hit me was that i forgot the email verification part whilst creating the above account. So this meant I can be someone impersonating this invitee.
As I hadn’t verified my email yet the invitation could just be a client-end display notification and not a legit endpoint with the invitation token?
Well that wasn’t the case! I was able to accept the invitation and join the org as the new owner!
It was time to file the report by first creating a scenario.
Here’s what would happen :
github.com/org_namewithout any checks also revealing the invitation_token.
I was able to find a couple of similar bugs henceforth.
Bug reported - Nov 8th 2017
Bug Resolved/Bounty/Swag - $5000 - Nov 16th 2017