Github token with wide access to Nuxt related repositories leaked in the wild in nuxtlabs/github-module

Valid

Reported on

Apr 10th 2023

Description

If you visit https://nuxt.com, you will find hardcoded Github token in the source code of the page - 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.
This token has access to multiple repositories under nuxt, nuxtlabs and nuxt-themes Github organisations.

https://github.com/nuxt

Admin permissions to 86 repositories (33 of them are private):

[ADMIN EDIT: Private repositories redacted at the request of the maintainer]

nuxt/nuxt
nuxt/vue-meta
nuxt/nuxtjs.org
nuxt/docs
nuxt/todomvc
nuxt/example-auth0
nuxt/benchmarks
nuxt/hackernews
nuxt/cli-draft
nuxt/hacker-news-pwas
nuxt/create-nuxt-app
nuxt/youch
nuxt/css-loader
nuxt/friendly-errors-webpack-plugin
nuxt/vue-devtools
nuxt/babel-preset-app
nuxt/renovate-config-nuxt
nuxt/codesandbox-nuxt
nuxt/eslint-config
nuxt/nuxt-redirects
nuxt/rfcs
nuxt/press
nuxt/eslint-plugin-nuxt
nuxt/actions-yarn
nuxt/nuxt-services-experimental
nuxt/vercel-builder
nuxt/loading-screen
nuxt/http
nuxt/typescript
nuxt/markdown
nuxt/test-utils
nuxt/blueprints
nuxt/components
nuxt/content
nuxt/telemetry
nuxt/modules
nuxt/image
nuxt/nitro-demo
nuxt/assets
nuxt/vite
nuxt/postcss8
nuxt/framework
nuxt/starter
nuxt/nuxt-movies
nuxt/devtools
nuxt/nuxt3-stubs
nuxt/module-builder
nuxt/bridge
nuxt/movies
nuxt/nuxt.new
nuxt/examples
nuxt/.github
nuxt/governance

https://github.com/nuxtlabs

Push permissions to 81 repositories (64 of them are private), also admin permissions to 4 of them:

[ADMIN EDIT: Private repositories redacted at the request of the maintainer]

nuxtlabs/vue-telescope-analyzer
nuxtlabs/vue-telescope-website
nuxtlabs/vue-telescope-extensions
nuxtlabs/guides-examples
nuxtlabs/demo-blog-nuxt-content
nuxtlabs/examples
nuxtlabs/pwa-module
nuxtlabs/nuxtjs.org
nuxtlabs/github-module
nuxtlabs/vscode-mdc
nuxtlabs/tiptap-markdown
nuxtlabs/.github
nuxtlabs/nuxt-component-meta
nuxtlabs/starter
nuxtlabs/mdc-api
nuxtlabs/docus-theme-starter
nuxtlabs/studio-demo

https://github.com/nuxt-themes

Push permissions to 10 repositories (2 of them are private):

[ADMIN EDIT: Private repositories redacted at the request of the maintainer]

nuxt-themes/docus
nuxt-themes/docus-docs-starter
nuxt-themes/config
nuxt-themes/alpine
nuxt-themes/starter
nuxt-themes/typography
nuxt-themes/alpine-starter
nuxt-themes/.github

Proof of Concept

% curl https://nuxt.com/ | grep -o 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
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

% curl -sS -f -I -H "Authorization: token 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" https://api.github.com
HTTP/2 200
server: GitHub.com
...
x-oauth-scopes: read:org, repo, user
...

Impact

Threat actor can push malicious code to mentioned project repositories, which will lead to supply chain attack. It is also possible to completely delete some repositories to which leaked token has admin access. Access to private repositories may reveal more secrets and private user data.

Occurrences

module.ts L72

We are processing your report and will contact the nuxtlabs/github-module team within 24 hours. 2 months ago

Daniel Roe gave praise a month ago

Thank you so much for reporting it with disclosure 💚

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Daniel Roe validated this vulnerability a month ago

ivanovanton has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Sébastien Chopin gave praise a month ago

Thank you so much for reporting it with disclosure 💚

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

ivanovanton

commented a month ago

Researcher

Hi team,

Seems that this token was leaked from January, 2023 according to wayback machine. I hope that you will check that no malicious changes was performed in Nuxt repositories since that time.

Ben Harvie modified the report

a month ago

Daniel Roe marked this as fixed in 1.6.2 with commit 5490c4 a month ago

Daniel Roe has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Apr 18th 2023

module.ts#L72 has been validated

Daniel Roe published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the nuxtlabs/github-module team within 24 hours. 2 months ago

Daniel Roe gave praise a month ago

Thank you so much for reporting it with disclosure 💚

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Daniel Roe validated this vulnerability a month ago

ivanovanton has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Sébastien Chopin gave praise a month ago

Thank you so much for reporting it with disclosure 💚

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

ivanovanton

commented a month ago

Researcher

Hi team,

Seems that this token was leaked from January, 2023 according to wayback machine. I hope that you will check that no malicious changes was performed in Nuxt repositories since that time.

Ben Harvie modified the report

a month ago

Daniel Roe marked this as fixed in 1.6.2 with commit 5490c4 a month ago

Daniel Roe has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Apr 18th 2023

module.ts#L72 has been validated

Daniel Roe published this vulnerability a month ago

to join this conversation