Cloud-based repository hosting service GitHub revealed on Friday that it discovered evidence of an anonymous adversary capitalizing on stolen OAuth user tokens to download private data from multiple organizations without permission.
“An attacker misused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” GitHub’s Mike Hanley revealed in a report.
OAuth access tokens are often used by applications and services to authorize access to specific parts of a user’s data and communicate with each other without having to share actual credentials. This is one of the most common methods used to pass authorization from a single sign-on (SSO) service to another application.
As of April 15, 2022, the list of affected OAuth applications is as follows:
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Overview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831) and
- Travis CI (ID: 9216)
The OAuth tokens would not have been obtained through a breach of GitHub or its systems, the company said, because it does not store the tokens in their original usable formats.
Additionally, GitHub warned that the threat actor could analyze the content of the private repository downloaded from victim entities using these third-party OAuth applications to glean additional secrets that could then be exploited to pivot to other parties. of their infrastructure.
The Microsoft-owned platform noted that it found the first evidence of the attack campaign on April 12 when it encountered unauthorized access to its NPM production environment using a dongle. ‘AWS API compromised.
This AWS API key was allegedly obtained by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub said it has since revoked the access tokens associated with the affected applications.
“At this point, we believe the attacker has not modified any packages or obtained access to any user account data or credentials,” the company said, adding that it is still investigating to determine. if the attacker had viewed or downloaded private packages.
GitHub also said it is currently working to identify and notify all known victimized users and organizations potentially impacted by this incident within the next 72 hours.