GitHub Issues Warning That Private User Data Accessed Via OAuth Tokens 

On April 18th, GitHub issued this Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators. The alert warns that private repository contents were accessed via third-party OAuth user tokens maintained by Heroku and Travis CI. Which of course is very, very bad.

David Stewart, CEO, Approov had this comment:

“API keys and OAuth tokens are prime targets for attackers because they are relatively long lifetime identifiers which can be exploited at scale via scripts, similar to credential stuffing techniques using traditional usernames and passwords.

Organizations must consider worst case scenarios where API keys and OAuth tokens become available to bad actors and ensure that these assets can’t be weaponized against their business. A typical way to mitigate such situations is to implement and additional authentication requirement to ensure that these credentials can only be used from genuine remote client instances, eg web apps or mobile apps.”

Chances are if you were affected by this, you will know about it. But it wouldn’t hurt to check your GitHub repositories to make sure.

One Response to “GitHub Issues Warning That Private User Data Accessed Via OAuth Tokens ”

  1. […] when I posted a story about GitHub releasing a security alert for an attack campaign using stolen OAuth user tokens […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: