Security News > 2021 > April > Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000
A researcher has disclosed the details of a series of vulnerabilities that could have been exploited by an attacker to access an organization's private pages on GitHub.
GitHub Pages is a service that individuals and organizations can use to host websites.
Over the weekend, researcher Robert Chen published a blog post detailing a chain of vulnerabilities he and another white hat hacker discovered last year in GitHub Pages.
According to Chen, the exploit was related to the authentication flow used for private pages and involved an uncommon type of vulnerability called Carriage Return Line Feed injection, which led to a cross-site scripting attack.
The researchers determined that an unprivileged attacker from outside the targeted organization could abuse such public-private pages to "Compromise internal private pages' authentication flows." A malicious actor could have launched an XSS attack on an employee of the targeted organization and from there pivot to private pages within the organization.
In response to a Hacker News post describing Chen's findings, the GitHub Pages team shared some information about the issues it uncovered while investigating this vulnerability report.