Home Depot exposed access to internal systems for a year, says researcher

A security researcher has revealed that Home Depot inadvertently left its internal systems vulnerable for an entire year following the accidental publication of a private access token by one of its employees. This oversight, discovered by researcher Ben Zimmermann, came to light when he found the token posted on GitHub in early November 2024. Upon testing the token, Zimmermann found that it provided access to numerous private Home Depot source code repositories on GitHub, along with the ability to modify their contents. More alarmingly, the token allowed entry into Home Depot's cloud infrastructure, which included critical systems for order fulfillment, inventory management, and code development pipelines. Zimmermann attempted to alert Home Depot about this serious security issue by sending multiple emails, but his efforts went unanswered for several weeks. After TechCrunch reached out to the company last week, the exposure was finally addressed. Home Depot has been utilizing GitHub for its developer and engineering infrastructure since 2015, according to information available on GitHub's customer profile. Despite several attempts to communicate with Home Depot's chief information security officer, Chris Lanzilotta, via LinkedIn and email, Zimmermann received no response. He mentioned that he has successfully reported similar vulnerabilities to other companies in the past, which have expressed gratitude for his findings. "Home Depot is the only company that ignored me," he stated. Due to the absence of a clear channel for reporting security vulnerabilities, including a bug bounty program, Zimmermann turned to TechCrunch in hopes of resolving the issue. When contacted, Home Depot's spokesperson, George Lane, confirmed receipt of the inquiry but did not provide a response to subsequent follow-up questions. Fortunately, the access token has now been removed, and its permissions were revoked shortly after TechCrunch's engagement. However, questions remain about whether Home Depot has the capability to investigate if the token was misused during the time it was publicly accessible.