21 October 2022 at 14:00 UTC
Updated: 21 October 2022 at 14:29 UTC
Platform pays high reward for bug reported as ‘low severity’
A researcher netted a $10,000 bug bounty reward from GitHub after discovering a way to spoof the platform’s login interface.
Saajan Bhujel found a bypass that allowed him to change the CSS of the website, potentially tricking users into logging into the fake page.
Users can render or display mathematical expressions in Markdown through the MathJax library.
Bhujel found a way to bypass MathJax’s HTML filtering by injecting a malicious tag that is filtered and removed, which then allowed him to inject form elements that spoof the GitHub login interface.
When GitHub noted that his submission was a duplicate, Bhujel used a different technique to enable him to find the bypass.
The researcher told The Daily Swig that he is “so happy” with the reward of $10,000, despite originally reporting it as a low severity issue.