GitHub: Hackers attack dozens of companies by stealing OAuth tokens!

Recently, the GitHub security team revealed that there is evidence that attackers abused OAuth user tokens issued to Heroku and Travis CI (these abused tokens were issued to two third-party OAuth integrators), from organizational accounts Downloading data, thereby compromising the GitHub account.

This information was disclosed by the GitHub security team after an investigation began on April 12, 2022.

On Friday, GitHub officially revealed that an unidentified "hacker" used stolen OAuth user tokens (sent to Heroku and Travis CI) to illegally download private data from dozens of companies and organizations.

Affected organizations include NPM, GitHub users and applications maintained by GitHub itself using targeted integrators, said Mike Hanley, GitHub's chief security officer.

GitHub is not under threat

Mike Hanley claimed that the attackers did not obtain the tokens by leaking GitHub.

These integrators (ie Heroku and Travis CI) maintain applications that are used by GitHub users (including GitHub itself). But the actual GitHub system was not affected because GitHub did not store these tokens in their raw format.

"We do not believe an attacker could obtain these tokens through a compromise of GitHub or its systems, as GitHub does not store these tokens in their original, usable format," Mike said.

Mike added in his blog post: "Our analysis of the attacker's other behavior suggests that these actors may be mining downloaded private repository content that can be accessed by stolen OAuth tokens for Confidentiality of infrastructure."

What is an OAuth access token?

OAuth is an access token used by different services and applications to authorize access to user data and communicate with each other without sharing credentials. This is the standard way to pass authorization from a single sign-on/SSO service to another application. As of April 15, 2022, the list of affected OAuth applications includes:

Travis CI (ID: 9216)
Heroku Dashboard (ID: 145909)
Heroku Dashboard (ID: 628778)
Heroku Dashboard – Preview (ID: 313468)
Heroku Dashboard – Classic (ID: 363831), and
Source: GitHub

remedy

In response to the attack, GitHub announced that the attack was discovered after unauthorized access to its NPM production ecosystem through leaked AWS API keys.

Presumably, the AWS API key was obtained by downloading an unspecified set of private NPM repositories using an OAuth token stolen from one of the two affected OAuth applications. GitHub said it had revoked access tokens associated with the affected apps.

The GitHub security team further noted that there is no indication that the attackers modified any packages or gained access to any user credentials or user account data.

Mike emphasized: "The attackers did not modify any packages and did not have access to any user account data or credentials. We are still working to understand if the attackers viewed or downloaded private packages. npm uses a completely separate infrastructure from GitHub."

As of now, GitHub is investigating whether the attackers simply viewed or downloaded private packages. Additionally, the company said it will notify all affected victim users/organizations within the next 72 hours.

So, if you have also identified yourself as one of the known affected victim users and organizations through analysis, you will receive a notification email from GitHub within the next 72 hours with more details and next steps.

Of course, if you don't receive any emails, don't worry because you're not affected by this data breach.