Home Depot exposed access to internal systems for a year, says researcher

A information researcher said Home Depot exposed entree to its interior systems for a twelvemonth aft 1 of its employees published a backstage entree token online, apt by mistake. The researcher recovered the exposed token and tried to privately alert Home Depot to its information lapse, but was ignored for respective weeks. 

The vulnerability is present fixed aft TechCrunch contacted institution representatives past week.

Security researcher Ben Zimmermann told TechCrunch that, successful aboriginal November, helium recovered a published GitHub entree token belonging to a Home Depot employee, which was exposed sometime successful aboriginal 2024. 

When helium tested the token, Zimmermann said that it granted entree to hundreds of backstage Home Depot root codification repositories hosted connected GitHub and allowed the quality to modify their contents. 

The researcher said the keys allowed entree to Home Depot’s unreality infrastructure, including its bid fulfillment and inventory absorption systems, and codification improvement pipelines, among different systems. Home Depot has hosted overmuch of its developer and engineering infrastructure connected GitHub since 2015, according to a customer illustration connected GitHub’s website.

Zimmermann said helium sent respective emails to Home Depot but didn’t perceive back. 

Nor did helium get a effect from Home Depot’s main accusation information officer, Chris Lanzilotta, aft sending a connection implicit LinkedIn.

Zimmermann told TechCrunch that helium has disclosed respective akin exposures successful caller months to companies, which person thanked him for his findings. 

“Home Depot is the lone institution that ignored me,” helium said.

Given that Home Depot does not person a mode to study information flaws, specified arsenic a vulnerability disclosure oregon bug bounty program, Zimmermann contacted TechCrunch successful an effort to get the vulnerability fixed.

When reached by TechCrunch connected December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is nary longer online, and the researcher said the token’s entree was revoked soon aft our outreach.

We besides asked Lane if Home Depot has the method means, specified arsenic logs, to find if anyone other utilized the token during the months it was near online to entree immoderate of Home Depot’s interior systems. We did not perceive back.