GitHub has revealed that attackers have abused OAuth user tokens issued to Heroku and Travis-CI, popular third-party OAuth integrators.
GitHub revealed on Friday about receiving evidence of an unidentified adversary exploiting stolen OAuth user tokens issued to Heroku and Travis-CI to download private data from dozens of organizations illegally.
The impacted organizations include NPM, stated Mike Hanley, Chief Security Officer of GitHub. GitHub users and GitHub itself used the applications maintained by the targeted integrators. The campaign was first detected on 12 April 2022.
|
| Source: github.blog |
What are OAuth Access Tokens?
OAuth is access tokens used by different services and applications for authorizing access to user data and communicating with each other without sharing credentials. This is a standard method to pass authorization from one single sign-on/SSO service to another application. The list of impacted OAuth applications, as of 15 April 2022, include the following:
- Travis CI (ID: 9216)
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
Source: GitHub
At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages. npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack.” states the company. “Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.
Remediation Measures
The Microsoft-owned GitHub noted that it identified the attack campaign after encountering unauthorized access to its NPM production ecosystem via a compromised AWS API key. It was supposedly obtained by downloading a set of unspecified private NPM repositories that exploited the stolen OAuth tokens. GitHub revoked the access tokens linked to the impacted apps.
GitHub further noted that there’s no indication that the attacker has modified any package or gained access to any user credentials or user account data. The company is currently investigating whether the attacker just viewed or downloaded private packages. Furthermore, the company said it would notify all the impacted victim users/organizations over the next 72 hours.
"Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens."
GitHub is working on notifying all impacted users and organizations as they are identified with additional information.
You should review your organization's audit logs and the user account security logs for anomalous, potential malicious activity.
You can find more information on how GitHub responded to protect its users and what customers and organizations need to know in the security alert published on Friday.
