Home Depot exposed access to internal systems for a year, TechCrunch reports.
According to security researcher Ben Zimmermann, a Home Depot employee published a private GitHub access token sometime in early 2024, likely by mistake.
Zimmerman told TechCrunch that when he tested the token, it granted access to private Home Depot repos on GitHub, with write permissions, as well as access to the company’s cloud infrastructure, including order fulfillment and inventory management systems.
Zimmerman, who told TechCrunch he has disclosed similar exposures to other companies, said he did not get a response to several emails he sent to Home Depot about the leaked credential.
“Home Depot is the only company that ignored me,” he said.
The leaked credential has since been removed from public view after TechCrunch contacted the company last week.
No Responses