Now that GitHub has launched a bug bounty program, many security researchers are taking a crack at the code repository. One of them is Egor Homakov, who has managed to gain access to private GitHub repositories by using a combination of 5 low-severity flaws.
Separately, the 5 vulnerabilities can’t be exploited to cause too much damage, but when combined, they result in a high-severity exploit.
GitHub fixed the vulnerabilities shortly after they were reported by the security expert. Homakov has been rewarded with $4,000 (€2,935), which is the highest payment made by GitHub so far.
The security holes, as described by GitHub, are an OAuth partial open redirect, a Gist Camo bypass that allows referer leakage, abuse of markdown caching to bypass nonreferer rel attribute on private Gist links, Gist OAuth token stored in a CookieSession session, and an auto approval of arbitrary OAuth scope for Gist.
Additional technical details are available on Homakov’s blog and on Reddit.