A researcher netted a $10,000 bug bounty reward from GitHub after discovering a way to spoof the platform’s login interface.
Saajan Bhujel found a bypass that allowed him to change the CSS of the website, potentially tricking users into logging into the fake page.
GitHub uses MathJax, an open source JavaScript display engine for LaTeX, MathML, and AsciiMath notation.
Users can render or display mathematical expressions in Markdown through the MathJax library.
Bhujel found a way to bypass MathJax’s HTML filtering by injecting a malicious tag that is filtered and removed, which then allowed him to inject form elements that spoof the GitHub login interface.
He originally reported the issue to GitHub using a different technique, as described in a blog post.
When GitHub noted that his submission was a duplicate, Bhujel used a different technique to enable him to find the bypass.
The researcher told The Daily Swig that he is “so happy” with the reward of $10,000, despite originally reporting it as a low severity issue.
Source: https://portswigger.net/daily-swig/login-spoofing-issue-in-github-nets-researcher-10k-bug-bounty-reward