GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.
Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:
“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps.
Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.”
GitHub first uncovered signs that a malicious party had stolen OAuth user tokens on 12 April. The company disclosed its findings to Heroku and Travis-CI over the following couple of days.
Here are the OAuth applications that are known to be impacted (as of 15 April 2022):
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
GitHub believes attacks may be ongoing and is disclosing the information so that protective action can be taken.
For its part, the company has revoked tokens associated with GitHub and npm’s internal use of the compromised apps. GitHub also contacted Heroku and Travis-CI to request they revoke all OAuth user tokens associated with the affected apps, launch their own investigations, and notify impacted users.
GitHub says that it will alert any additional victims that are discovered as part of its investigation.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.