Finding the design flaw
While playing with the GitHub API querying different things, I had a light bulb go off.
If you can query any GitHub user via API, and see their adminstrator access level, why
would it not be feasable to piggy back the “Myspace Tom” KevinHock account that follows
every GitHub user, to get the list? At the end of the day, what’s the worst that could
Basically we query the API for KevinHock’s account. Later we do this in a loop, so that
we can get around the only 100 records per page maximum. We’ll also need to add a sleep
because if you query the API too quickly, you’ll hit a rate limit and be locked out
We’ll do this about 10,000 times, with a self limit set at 5 minute query intervals so that
we don’t get locked out. We use tee to be able to see the data pulled back as we wite it
to a file. Next we’ll line up the data with grep around login, then remove an extreneous
character with cut before sending the data over to xargs which will run curl on that user,
then send the logins through sed to fix the json formatting. Finally we sae to github_admins.txt
Will show us (and a lot more):
In the end you should have a .json file with all the administrators on GitHub saved to it.
I submitted this for a bug bounty, but it didn’t qualify because they already knew about the
design flaw and considered it low risk. Please don’t use this maliciously, it is for
informational purposes only. View the full file: here.