Home Depot’s internal systems were exposed for a year, researcher finds
▼ Summary
– A Home Depot employee accidentally published a private GitHub access token online in early 2024, exposing internal systems for about a year.
– Security researcher Ben Zimmermann found the token, which granted access to hundreds of private source code repositories and the ability to modify them.
– The exposed token also provided access to critical cloud infrastructure, including order fulfillment, inventory management, and development systems.
– Zimmermann attempted to alert Home Depot privately for several weeks through emails and LinkedIn but received no response.
– The security lapse was only fixed after TechCrunch contacted the company, and it remains unknown if the token was misused by others during its exposure.
A security lapse at Home Depot left the company’s internal systems vulnerable for nearly a year after an employee accidentally published a private access token online. This critical exposure, now resolved, highlights the persistent risks companies face from simple human error and the importance of having robust channels for external security reporting. The incident underscores how a single compromised credential can potentially unlock vast portions of a corporation’s digital infrastructure.
Security researcher Ben Zimmermann discovered the exposed GitHub access token in early November. Upon testing it, he found it provided extensive privileges, granting entry to hundreds of Home Depot’s private source code repositories. More alarmingly, the token did not just allow viewing; it permitted modifications to the code within those repositories. The access extended far beyond source code, reaching into the company’s cloud infrastructure. This included sensitive operational systems like order fulfillment and inventory management platforms, as well as code development pipelines.
Zimmermann attempted to follow responsible disclosure practices by contacting Home Depot directly through multiple emails. He even reached out to the company’s chief information security officer via LinkedIn. Despite these efforts, he received no response. This silence persisted for several weeks, leaving the exposure unaddressed. Zimmermann, who has successfully reported similar issues to other companies, noted that Home Depot was the only organization to ignore his warnings.
The lack of a formal vulnerability disclosure program or bug bounty system at Home Depot left the researcher with few options to escalate the issue privately. This ultimately led him to contact media, which prompted action. Following outreach from TechCrunch, Home Depot representatives revoked the token’s access, closing the security gap. The token is no longer available online.
A key unanswered question remains whether any malicious actors exploited the token during its long period of exposure. When asked if Home Depot possesses the technical logs to determine if unauthorized access occurred, the company did not provide a response. The company’s spokesperson acknowledged an initial email but did not comment on the specifics of the incident or the researcher’s claims. This event serves as a stark reminder of the need for companies to monitor for credential leaks actively and to establish clear, responsive pathways for security researchers to report critical findings.
(Source: TechCrunch)
