Cloud-based repository hosting service GitHub on Friday revealed
that it discovered evidence of an unnamed adversary capitalizing on
stolen OAuth user tokens to unauthorizedly download private data
from several organizations.
“An attacker abused stolen OAuth user tokens issued to two
third-party OAuth integrators, Heroku and Travis-CI, to download
data from dozens of organizations, including NPM,” GitHub’s Mike
Hanley disclosed[1]
in a report.
OAuth access tokens are often used[2]
by apps and services to authorize access to specific parts of a
user’s data and communicate with each other without having to share
the actual credentials. It’s one of the most common methods used to
pass authorization from a single sign-on (SSO[3]) service to another
application.
As of April 15, 2022, the list of affected OAuth applications is
as follows –
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831), and
- Travis CI (ID: 9216)
The OAuth tokens are not said to have been obtained via a breach
of GitHub or its systems, the company said, as it doesn’t store the
tokens in their original, usable formats.
Additionally, GitHub warned that the threat actor may be
analyzing the downloaded private repository contents from victim
entities using these third-party OAuth apps to glean additional
secrets that could then be leveraged to pivot to other parts of
their infrastructure.
The Microsoft-owned platform noted it found early evidence of
the attack campaign on April 12 when it encountered unauthorized
access to its NPM production environment using a compromised AWS
API key.
This AWS API key is believed to have been obtained by
downloading a set of unspecified private NPM repositories using the
stolen OAuth token from one of the two affected OAuth applications.
GitHub said it has since revoked the access tokens associated with
the affected apps.
“At this point, we assess that the attacker did not modify any
packages or gain access to any user account data or credentials,”
the company said, adding it’s still investigating to ascertain if
the attacker viewed or downloaded private packages.
GitHub also said it’s currently working to identify and notify
all of the known-affected victim users and organizations that may
be impacted as a result of this incident over the next 72
hours.
Read more https://thehackernews.com/2022/04/github-says-hackers-breach-dozens-of.html