Full Report
The author of this post noticed a new piece of functionality in Github: LaTeX support. This support was given in Markdown through the library MathJax. Since the combining of many different libraries is very complicated to do, the author decided to take a look around at it. A valid macro looks like $$macro{}$$. First, they noticed that the tag $$\HELLO{}$$ went through. But, this ONLY happens with a leading slash after the $$ for the math operator being declared. Although, this didn't allow for any crazy tags besides tags. This led to them being able to add many different style expressions such as changing the background of the page. Unfortunately, this was closed as a duplicate almost immediately. Within the math expressions though, there was still a lack of input validation. Simply putting $$Test{}$$ would render a div. Similar payloads could be used for input forms as well. Using a payload in here could AGAIN be used to change the CSS on the page to do malicious things. But, the author had jumped the gun as the fixing of the first issue fixed this issue as well. Third times the charm, as they say. The original payload of putting the tags after the slash (\) wasn't working anymore; anything put in there was simply filtered out. However, now tags within the curly braces were being rendered ONLY when the ones with the backslash were being filtered out. $$\{&ltrenderTag&gt}$$ is a working payload demonstrating this. This appears like some code was exiting earlier than it should have. Only some of the tags were rendering though. Eventually, they went with the payload containing an input tag for a fake login screen to send the credentials to the user. Still, no XSS from this but still quite a bit of impact. Github accepted this as a medium severity finding and paid out 10K for the issue. Overall, good post on methodology of XSS hunting and target finding.
Analysis Summary