Security researchers say Home Front access to internal systems for years after one of its employees issued personal access tokens online, possibly by mistake. Researchers discovered the exposed token and attempted to automatically flag home depot privately for security breaches, but it was ignored for weeks.
The deployment has now been finalized after techCracun contacted company representatives last week.
Security researcher Ben Zimmermann told Techcember that at the beginning of November, he found Github Access tokens issued that were all over the employees of Home Depot, which was like in early 2024.
When he tested the token, Zimmermann said it had access to hundreds of Home Depot Home Depot Home Depot Home Depot Home Depot Private Home Depot Home Depot code repositories set up on Github and allowed them to edit content.
Researchers say the key allowed access to the company’s in-house cloud infrastructure, including order processing and inventory management systems, and code development pipelines, among other systems. The Home Depot has hosted multiple developer and engineering infrastructures in Githig since 2015, according to a Customer Profile on Github websiteSee rank-.
Zimmermann said he sent several emails to the home depot but did not hear back.
Nor did we get a response from Home Depot’s Chief Information Officer, Chris Lanzilotta, after sending a message through Linkedin.
Zimmermann told Techcrunch that he had envisioned a number of similar exposures last month for the company, which he dedicated to his findings.
“Home Depot was one of those companies that ignored me,” he said.
Given that Home Depot doesn’t have a way to report security flaws, like the spice program or the bug bounty program, Zimmermann contacted Techcrunch in an effort to get the light fixed.
When reached by TechCrunch on Dec. 5, a spokesperson for Home Lane was emailed but did not respond to an email seeking comment. The exposed token is no longer online, and the researcher said that access to the token was later after our outreach.
We also asked Lane if Home Depot has any technical means, such as logs, to determine if anyone else using the token during this month was left online to access Home Depot’s internal system. We heard no more.