Home Depot has revoked access to its internal systems after a security researcher discovered that a private access token belonging to one of its employees had been publicly exposed online for nearly a year, potentially allowing wide-ranging access to the retailer’s internal infrastructure.
Exposed Token Granted Broad Internal Access
Security researcher Ben Zimmermann told TechCrunch that he identified the exposed token in early November after finding it published on GitHub. The token, which appeared to have been made public in early 2024, belonged to a Home Depot employee.
When tested, the token provided access to hundreds of Home Depot’s private source code repositories hosted on GitHub and allowed modifications to their contents. Zimmermann said the access extended beyond source code, granting entry to parts of Home Depot’s cloud infrastructure, including systems related to order fulfillment, inventory management, and internal development pipelines.
Home Depot has used GitHub to host much of its engineering and developer infrastructure since 2015, according to information published on GitHub’s website.
Attempts to Notify the Company Went Unanswered
Zimmermann said he made multiple attempts to privately disclose the issue to Home Depot after discovering the exposed token. He sent several emails to the company and also contacted Home Depot’s chief information security officer, Chris Lanzilotta, through LinkedIn, but did not receive a response for several weeks.
He told TechCrunch that he has reported similar exposures to other companies in recent months and typically received acknowledgments. He said Home Depot was the only company that did not respond.
Zimmermann added that Home Depot does not appear to operate a public vulnerability disclosure process or bug bounty program, which limited his options for responsible disclosure.
Issue Resolved After Media Inquiry
After Zimmermann contacted TechCrunch, the publication reached out to Home Depot for comment on December 5. Home Depot spokesperson George Lane acknowledged receipt of the inquiry but did not respond to follow-up questions.
Shortly after TechCrunch’s outreach, the exposed token was removed from GitHub and its access was revoked, according to Zimmermann.
TechCrunch also asked Home Depot whether it has technical records, such as access logs, that could determine whether the token was used by unauthorized parties during the period it was publicly accessible. The company did not provide a response.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.