GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens

Technology

Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations.

“An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” GitHub’s Mike Hanley disclosed in a report.

CyberSecurity

OAuth access tokens are often used by apps and services to authorize access to specific parts of a user’s data and communicate with each other without having to share the actual credentials. It’s one of the most common methods used to pass authorization from a single sign-on (SSO) service to another application.

As of April 15, 2022, the list of affected OAuth applications is as follows –

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831), and
  • Travis CI (ID: 9216)

The OAuth tokens are not said to have been obtained via a breach of GitHub or its systems, the company said, as it doesn’t store the tokens in their original, usable formats.

Additionally, GitHub warned that the threat actor may be analyzing the downloaded private repository contents from victim entities using these third-party OAuth apps to glean additional secrets that could then be leveraged to pivot to other parts of their infrastructure.

The Microsoft-owned platform noted it found early evidence of the attack campaign on April 12 when it encountered unauthorized access to its NPM production environment using a compromised AWS API key.

CyberSecurity

This AWS API key is believed to have been obtained by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub said it has since revoked the access tokens associated with the affected apps.

“At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials,” the company said, adding it’s still investigating to ascertain if the attacker viewed or downloaded private packages.

GitHub also said it’s currently working to identify and notify all of the known-affected victim users and organizations that may be impacted as a result of this incident over the next 72 hours.

Products You May Like

Articles You May Like

USC and Rams coaching legend John Robinson dies at 89 – NBC Los Angeles
North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS
Jordan Chiles Still Fighting Bronze Olympic Medal Los
Santa Monica mother urges officials to provide more security amid racist texts – NBC Los Angeles
Joyce Carol Oates and JK Rowling Are Fighting. Thank God