Github Organization Takeover By Claiming Owner Invitation
TL;DR
courtesy - https://bounty.github.com/researchers/Abss0x7tbh.html
A malicious user could leverage 3 things to takeover a Github Organization :
- An invitation to owner from the organization.
- No email verification.
- No check on email verification prior to accepting invitation.
This bug was reported on Nov 17,2017 and was one of my very first bugs.
The Invitation feature
Through github.com one can create an organization within their personal account and invite team members. I was hard on checking for any account privilege escalations here.
So whilst surfing through github.com, i created an organization and started testing. I noticed that only the team maintainer or the owner can invite people to the organization. When sending the invite, the invitee could either be a github user or someone who is new to github.
If the user is new to github then the invitation has to be sent via their email only. If they are already a github user we have an option to choose their username and then send the invitation.
As seen below, we can also chose the privilege of the invitee and send the invitation. The owner has complete control over the organization.
With the invite sent, i intuitively created a new github account with the invitee email instead of the basic email invitation > account creation + accepting invitation.
I noticed that at the github.com/org_name page, i had my invitation displayed.
Well this was normal as github does display invitations as such. The next thing that hit me was that i forgot the email verification part whilst creating the above account. So this meant I can be someone impersonating this invitee.
As I hadn’t verified my email yet the invitation could just be a client-end display notification and not a legit endpoint with the invitation token?
Well that wasn’t the case! I was able to accept the invitation and join the org as the new owner!
Scenario
It was time to file the report by first creating a scenario.
Here’s what would happen :
- Assume an organization invites the new owner through their email. This means they aren’t a github user and would likely have to create a new github account.
- This means a malicious user could set-up a new account with the invitee email.
- The invitation endpoint does not verify if the invitee has their email verified. This means anyone can impersonate the invitee. The web invitation is displayed on the organization page i.e
github.com/org_namewithout any checks also revealing the invitation_token. - The malicous user just has to accept invitation before the actual owner does(via their email) ,claiming the invitation,impersonating the invitee owner in the process and gaining control over the organization.
I was able to find a couple of similar bugs henceforth.
Timeline
Bug reported - Nov 8th 2017
Bug Resolved/Bounty/Swag - $5000 - Nov 16th 2017
adiós!