Hackers Broke Into Other People’s Repositories Using Stolen OAuth Tokens

Daniel ZimmermannApril 18, 2022

0 75 1 minute read

GitHub developers reported that unknown hackers used stolen OAuth tokens (issued by Heroku and Travis-CI) to download data from other people’s repositories. The first signs of the attack were noticed on April 12, 2022, and by that time the attackers had already stolen the data of dozens of organizations.

The attack was identified by GitHub Security specialists, who discovered unauthorized access to the GitHub npm infrastructure, as the attackers used a compromised AWS API key. This key was probably obtained by the hackers after exploring a number of private npm repositories using stolen OAuth tokens.

The attacker misused stolen OAuth tokens issued to two third-party integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM. Apps supported by these integrators have been used by GitHub users and GitHub itself.”the GitHub post reads.

The company says the hackers certainly did not obtain the tokens by compromising GitHub or its systems, as these tokens are not stored by GitHub in usable formats at all.

Analysis of the behavior of attackers suggests that they could look for secrets in the contents of private repositories, which were given access to stolen OAuth tokens, and then these secrets could be used to penetrate other infrastructures.GitHub specialists said.

According to GitHub, the list of affected OAuth applications includes:

Heroku Dashboard (ID: 145909);
Heroku Dashboard (ID: 628778);
Heroku Dashboard – Preview (ID: 313468);
Heroku Dashboard – Classic (ID: 363831);
Travis CI (ID: 9216).

After discovering a massive theft of third-party OAuth tokens not stored on GitHub or npm, on the evening of April 13, we immediately took action to protect them by revoking tokens associated with internal use of GitHub and npm of these compromised applications.adds GitHub head of security Mike Hanley.

The npm attack reportedly included unauthorized access to private repositories on GitHub.com and “potential access” to npm packages in the AWS S3 repository.

Although unknown attackers were able to steal data from the compromised repositories, GitHub believes that any of the packages was not changed, and the hackers did not gain access to user accounts or credentials during the incident.

Npm uses a completely separate infrastructure from GitHub.com, and GitHub was not affected by the initial attack. While the investigation is ongoing, we have found no evidence that other private repositories owned by GitHub were cloned by the attacker using stolen OAuth tokens.Hanley writes.

Currently, GitHub is already notifying all affected users and companies about the incident as and identify the affected users.

By the way, we also talked about the fact that Attackers have stolen from Waydev GitHub and GitLab OAuth tokens.

You might also be interested in what GitHub says it takes years to fix vulnerabilities in some ecosystems.

Sending