hackerone-shopify-2020-09-n-858915

CircleCI token in github repo allows for access to sensitive build information

보고서

GitHub 리포지토리에서 CircleCI 토큰을 발견했다. 이를 사용하면 민감한 빌드 정보를 볼 수 있었다. curl https://circleci.com/api/v1.1/me?circle-token=<<토큰>> API를 이용해 토큰이 유효한 것을 확인할 수 있었다.

이 토큰을 이용해 빌드 정보를 열람했고 "flowdock_api_token" : "7e6b75e2335d035c192c338b390ee9e5", 와 같은 민감해보이는 데이터를 발견했다고 예를 들었다.

다음과 같이 정보를 조회하여 키를 조회할 수 있었다.

curl https://circleci.com/api/v1.1/project/github/Shopify/u2/checkout-key?circle-token=ca84774a88598f639b174d498c219163e04adbb2
 
[ {
  "public_key" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpvB3DfDKTHA7FoYR7GCDX4KzvNZuDoYH6cyLm2MGahYHXQXYhD/f+tUfrQadkt/fzkNElftncXSFj6kgzj2UeAhG1uQnAkA/neaUxhohdE21WwV4FH31hq30TgcJqFu4EN5nqaoaceY6MJvmtT/n1z3yGaJ/o3XgOwkY2GmiAvHBm6RdIlW0PX5t7elm4O9E6pDEo/6MwiuhtSQE3QPNMVM0w5ImRsSukiya8j7sgY5hco3a3Vo67dzM69+JiifgEutnC3Xv4x3bp1SS2Mww7wUGMgCaVtKMoQhSoqlft8mIWxCaIwdKXMyT8JmFmh16uBqKYWjJI+hj0ZS/sAox3 \n",
  "type" : "github-user-key",
  "fingerprint" : "b3:8c:e5:2f:fd:b8:f9:f1:4b:73:8f:fb:94:ed:6d:66",
  "login" : "shopify-dep",
  "preferred" : true,
  "time" : "2016-03-18T20:15:11.599Z"
}, {
  "public_key" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn5QuM7S1Rebg3A2P29L3fJL1vELVX2YKZEyZiIx4S9wnGQdsEq9AHZfUfhmG7ko+Yu8hU73nYEjhPozc4QWgjroAEtnnurCW4Ol/CEU7SYt0P5tv1sXweahNT0LiUY6nJcQMxYu2y4Zn4+F6gk80GIqk7sZKSOLXi58fZO99Gu4rx0YNDKyzmZMkXNlxnP6692Tkxap0ce9hbl3sABnuwB0/jqAnyvLKm8/Fp3jExZZnv2eipzaymJXwgRHthmqPpnkHoM8rft7FrlrEia9pZ0UrRcsXgOXz2eJuiKnbu9PNLXmxXtylzEsF9u+jghl+jHdo1rHxNkWI7OOLmVmE5 \n",
  "type" : "github-user-key",
  "fingerprint" : "52:aa:16:d3:5e:b1:c8:94:75:7a:90:93:0d:04:b5:a3",
  "login" : "sunblaze",
  "preferred" : false,
  "time" : "2015-11-02T18:00:32.192Z"
} ]

---

tags: bughunting, wstg-info-01, shopify, severity none, web hacking