A security researcher said Home Depot exposed access to its internal systems for a year after one of its employees posted a private access token online, likely by mistake. The researcher found the exposed token and attempted to privately notify Home Depot of its security flaw, but was ignored for several weeks.
The report has now been corrected after TechCrunch contacted company representatives last week.
Security researcher Ben Zimmerman told TechCrunch that, in early November, it found a published GitHub access token belonging to a Home Depot employee that was exposed sometime in early 2024.
When testing the token, Zimmermann said it granted access to hundreds of private Home Depot source code repositories hosted on GitHub and allowed the ability to modify their content.
The researcher said the keys allowed access to Home Depot’s cloud infrastructure, including order fulfillment and inventory management systems, and code development pipelines, among other systems. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to a customer profile on the GitHub website.
Zimmermann said he sent several emails to Home Depot but did not receive a response.
Nor did he get a response from Home Depot’s chief information security officer, Chris Lanzilotta, after sending a message through LinkedIn.
Zimmermann told TechCrunch that he has uncovered several similar openings in recent months at companies, which have thanked him for his findings.
“Home Depot is the only company that ignored me,” he said.
Since Home Depot has no way to report security flaws, such as a vulnerability disclosure or bug bounty program, Zimmermann reached out to TechCrunch in an attempt to correct the report.
When reached by TechCrunch on Dec. 5, Home Depot spokesman George Lane acknowledged receipt of our email but did not respond to subsequent emails seeking comment. The exposed token is no longer online and the researcher said access to the token was revoked shortly after we contacted them.
We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was online to access any of Home Depot’s internal systems. We didn’t hear back.
