Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

A researcher has disclosed the details of a series of vulnerabilities that could have been exploited by an attacker to access an organization’s private pages on GitHub.

A researcher has disclosed the details of a series of vulnerabilities that could have been exploited by an attacker to access an organization’s private pages on GitHub.

GitHub Pages is a service that individuals and organizations can use to host websites. The sites can be hosted on a custom domain or the domain, and the code for the website is taken directly from a private or public GitHub repository. The pages themselves can also be private or public.

Over the weekend, researcher Robert Chen published a blog post detailing a chain of vulnerabilities he and another white hat hacker discovered last year in GitHub Pages.

The issue was reported in May 2020 and patched in June 2020. GitHub assigned the exploit a high severity rating and awarded the researchers $20,000, as well as a $15,000 bonus, which is one of the highest bug bounties awarded by the company.

According to Chen, the exploit was related to the authentication flow used for private pages and involved an uncommon type of vulnerability called Carriage Return Line Feed (CRLF) injection, which led to a cross-site scripting (XSS) attack. A cache poisoning issue could have allowed an attacker to get the XSS payload cached and delivered to users who haven’t directly interacted with it — triggering an XSS vulnerability typically requires the target to access a malicious link or page.

The attack also involved what the researcher described as “public-private pages,” which refers to public repositories having “private” pages. This can occur when an organization has a private repository with a private page but later decides to make the repository public — the associated page remains “private,” but it’s actually public to everyone.

The researchers determined that an unprivileged attacker from outside the targeted organization could abuse such public-private pages to “compromise internal private pages’ authentication flows.” A malicious actor could have launched an XSS attack on an employee of the targeted organization and from there pivot to private pages within the organization.

Advertisement. Scroll to continue reading.

In response to a Hacker News (Y Combinator) post describing Chen’s findings, the GitHub Pages team shared some information about the issues it uncovered while investigating this vulnerability report.

Related: Google Discloses Details of GitHub Actions Vulnerability

Related: Serious Vulnerability in GitHub Enterprise Earns Researcher $20,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.