Security researchers say Home Depot had access to its internal systems exposed for a year after one of its employees, likely by mistake, posted a private access token online. Researchers discovered the exposed tokens and attempted to privately warn Home Depot about the security flaw, but were ignored for weeks.
This revelation has now been corrected after TechCrunch contacted a company representative last week.
Security researcher Ben Zimmermann told TechCrunch that he discovered a public GitHub access token owned by a Home Depot employee in early November, but it was released in early 2024.
Zimmerman said that when he tested the token, it allowed him to access and modify the contents of hundreds of private Home Depot source code repositories hosted on GitHub.
Researchers say these keys allowed access to Home Depot's cloud infrastructure, including its order fulfillment and inventory management systems and code development pipeline. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to its customer profile on GitHub's website.
Zimmerman said he emailed Home Depot several times but received no response.
Chris Lanzilotta, Home Depot's chief information security officer, also did not respond after sending a message via LinkedIn.
Zimmerman told TechCrunch that he has disclosed several similar disclosures to companies in recent months and that they are grateful for his findings.
“Home Depot is the only company that ignored me,” he said.
Given that Home Depot doesn't have a way to report security flaws, such as vulnerability disclosures or bug bounty programs, Zimmermann contacted TechCrunch to fix the exposure.
When contacted by TechCrunch on Dec. 5, Home Depot spokesperson George Lane acknowledged receiving the email, but did not respond to a subsequent email requesting comment. The exposed token is no longer online and the researcher stated that access to the token was revoked shortly after our assistance.
We also asked Lane if he had any technical means, such as logs, to determine whether anyone else used the tokens to access Home Depot's internal systems during the months that Home Depot was left online. There was no reply.