Last month I was browsing on Gist from Github reading a little script and I forked it. I opened Chrome and I navigated to my Gist URL, but I was logged with other account, then I decided to comment in that Gist to do some tests.
While testing I took care that me (the admin and creator of the Gist), could edit it, delete it... but I WASN'T ABLE to edit other users comments. I did not find that option neither in the Github API neither the UI.
- I opened my proxy
- I edited a comment did by me previously
- I changed the ID of the comment in the request by other user comment's ID
- I forwarded the request
Sadly I got this after a few emails from one of their engineers:
8th April, first answer from their team:
6th May, final answer:
This was my Proof of Concept video which I attached to my report:
Finally I'm happy with this report and I agree with their decision.
I would like to thank their security team and specially Greg Ose.