As mentioned by Yasin, Github offers an endpoint where privileged users can recover bypass codes. These recovery codes were accessible for download as plaintext and had the content-type as text/plain , something like:

XXXXX-XXXXX

X-Content-Type-Options: nosniff

nosniff

valueOf

1048576!

Disclosure timeline

Acknowledgement

For more Javascript trickery follow me on Twitter.

What immediately caught my attention was that the format of the code forms (with some exceptions) a valid JavaScript file with lines in the format of, ten hex digits separated by a hyphen.This remember an old blog post of mine where I could possibly exfiltrate information from properties file formatted in a peculiar way. And another great blog post: Plain text considered harmful: A cross-domain exploit. So I thought I could do something similar here. It did not take long until I found the right approach.also in this case Github sets theto prevent browsers from interpreting this content as valid JavaScript or other file types. But while Firefox now added support forthe browser compatibility is still spotty (I am looking at you Safari!!).But without waiting any further HERE is the live POC. The nut of the trick is to define afunction for the corresponding variable:We are talking about enumerating/brute-forcing 5 hex digit variables that requires a considerable effort, but is far from be unfeasible. A rough calculation tells us that we need to define about 16^5 variables that are aboutnot all the codes are valid Javascript variable (e.g. the one starting with a number are not). For a random hexadecimal digit that's six out of sixteen, thus a 37.5% chance.Reported the issue via Hackerone.Github triaged the issue.Bounty awardedI would like to thank the Github security team, you guys rock, really!!Well that's all folks.