Twitter: Github Token Leaked publicly for

ID H1:612231
Type hackerone
Reporter muhammad139
Modified 2019-08-15T23:05:07


Description :

GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 4 days Ago by user Dravya Nataraj

Issue & POC :

You can find the leak in this link : > #!/usr/bin/env bash


Set up gitsubmodules to run gradle build

git submodule update --recursive --remote

git add submodules

git add submodules

git add submodules

export FIREBASE_TOKEN=█████

echo "running script testing" USER_NAME=dravyan API_KEY=████████

Networks this script checks for

NETWORKS=( AdColony AdMob AppLovin Chartboost FacebookAudienceNetwork Flurry IronSource OnebyAOL Tapjoy UnityAds Verizon Vungle )

Function to get display name for Firebase update

function get_display_name { key=$1 out=$2 name=$key case "$key" in AdMob ) name="Google (AdMob)";; FacebookAudienceNetwork ) name="Facebook Audience Network";; Flurry ) name="Yahoo! Flurry";; IronSource ) name="ironSource";; OnebyAOL ) name="One by AOL";; UnityAds ) name="Unity Ads";; esac eval "$out='$name'" }

Function to read Adapter version from AdapterConfiguration

function read_networkAdapter_version { versionnumber=grep -r "project.version = " ./$1/ | awk '{print $3}' | sed s/\'//g | sed s/\;//g echo $versionnumber sdkverion=echo $versionnumber | cut -d'.' -f 1-3 echo $sdkverion lowercaseselection=$(echo "$1" | tr '[:upper:]' '[:lower:]') mv ./libs/mopub-$lowercaseselection-adapters-.aar ./libs/$lowercaseselection-$versionnumber.aar ### Generate pom file for adapter version ### echo '<?xml version="1.0" encoding="UTF-8"?> <project xsi:schemaLocation="" xmlns="" xmlns:xsi=""> <modelVersion>4.0.0</modelVersion> <groupId>com.mopub.mediation</groupId> <artifactId>'"$lowercaseselection"'</artifactId> <version>'"$versionnumber"'</version> <packaging>aar</packaging> </project>' >> ./libs/sample.pom ls ./libs echo $lowercaseselection echo $versionnumber mv ./libs/.pom ./libs/$lowercaseselection-$versionnumber.pom ### CREATING TAG RELEASE IN GITHUB ### commitId= git rev-parse HEAD echo $commitId tagname="$lowercaseselection-$versionnumber" echo $tagname #git tag -a $lowercaseselection-$versionnumber -m "new tag" $commitId #git push origin $versionnumber ### Publish release in Github [TO_DO] #curl -H "Authorization: token ██████████" --data '{"tag_name": "$lowercaseselection-$versionnumber","target_commitish": "$commitId","name": "$versionnumber","body": "Release of version $versionnumber. Refer$1/", "draft": false, "prerelease": false}' #curl -H "Authorization: token ████████" --data '{"tag_name": "'"$tagname"'","target_commitish": "'"$commitId"'","name": "'"$versionnumber"'","body": "Refer$1/","draft": false,"prerelease": false}' ### RELEASING aar AND pom TO BINTRAY ### ##curl -T <FILE.EXT> -udravyan:<API_KEY><YOUR_COOL_PACKAGE_NAME>/<VERSION_NAME>/<FILE_TARGET_PATH> #curl -T ./libs/$lowercaseselection-$versionnumber.aar -u$USER_NAME:$API_KEY$lowercaseselection/$versionnumber/com/mopub/mediation/$lowercaseselection/$versionnumber/ #curl -T ./libs/$lowercaseselection-$versionnumber.pom -u$USER_NAME:$API_KEY$lowercaseselection/$versionnumber/com/mopub/mediation/$lowercaseselection/$versionnumber/ if [ $? -eq 0 ]; then ### UPDATE FIREBASE ### echo "Updating firebase JSON..." firebase_project="mopub-mediation" FIREBASE_TOKEN="██████████" get_display_name $i name json_path="/releaseInfo/$name/Android/version" echo $i echo $versionnumber if [ -z "$FIREBASE_TOKEN" ]; then print_red_line "\$FIREBASE_TOKEN environment variable not set!" else #firebase database:set --confirm "/releaseInfo/$name/Android/version/adapter/" --data "\"$versionnumber\"" --project $firebase_project --token $FIREBASE_TOKEN #firebase database:set --confirm "/releaseInfo/$name/Android/version/sdk/" --data "\"$sdkverion\"" --project $firebase_project --token $FIREBASE_TOKEN if [[ $? -ne 0 ]]; then echo "ERROR: Failed to run firebase commands; please follow instructions at:" else echo "Done updating firebase JSON" fi fi else echo Failed to Push to bintray. Please update bintray before updating Firebase. fi


rm -r ./libs/*.pom } for i in "${NETWORKS[@]}" do changed=$(git log --name-status -1 --oneline ./ | grep $i) if [[ ! -z "$changed" ]]; then echo "$changed" read_networkAdapter_version $i fi


I didn't try anything with the token, and dont know what access it has, and i know that in order to login to