Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Home Depot exposed access to its internal systems for a year after one of its employees posted a private access code online, likely by mistake, a security researcher said. A researcher found the exposed code and attempted to alert Home Depot privately to its vulnerability but was ignored for several weeks.
The exposure has now been fixed after TechCrunch contacted company representatives last week.
Security researcher Ben Zimmerman In early November, he found a GitHub access token posted belonging to a Home Depot employee, which was disclosed sometime in early 2024, he told TechCrunch.
When he tested the token, Zimmerman said it granted access to hundreds of Home Depot’s source code repositories hosted on GitHub and allowed the ability to modify their contents.
The keys allowed access to Home Depot’s cloud infrastructure, including order fulfillment and inventory management systems, and code development pipelines, among other systems, the researcher said. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to A Customer profile on GitHub.
Zimmerman said he sent several emails to Home Depot but received no response.
He also did not get a response from Chris Lanzilotta, Home Depot’s chief information security officer, after sending a message via LinkedIn.
Zimmerman told TechCrunch that he uncovered several similar exposures in recent months to companies, which thanked him for his findings.
“Home Depot is the only company that ignored me,” he said.
Since Home Depot has no way to report security flaws, such as a vulnerability disclosure or bug bounty program, Zimmermann contacted TechCrunch in an attempt to fix the exposure.
When TechCrunch reached out to a Home Depot spokesperson on December 5, George Lin acknowledged receipt of our email but did not respond to follow-up emails seeking comment. The exposed token is no longer available online, and the researcher said that access to the token was revoked shortly after we contacted him.
We also asked Lane whether Home Depot had the technical means, such as logs, to determine whether anyone else had used the token during the months it remained online to access any of Home Depot’s internal systems. We didn’t hear back.