GitHub Provides An Update On Their Security Incident Involving Stolen OAuth User Tokens

Remember when I posted a story about GitHub releasing a security alert for an attack campaign using stolen OAuth user tokens issued by two third-party OAuth integrators? Well there was an update to that post that shares some additional details:

GitHub’s analysis of the attacker’s behavior reveals the following activities carried out on using stolen OAuth app tokens:

1. The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI.
2. For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user’s organizations.
3. The attacker then selectively chose targets based on the listed organizations.
4. The attacker listed the private repositories for user accounts of interest.
5. The attacker then proceeded to clone some of those private repositories.

This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku.

Following this series of notifications, GitHub will have completed directly notifying each affected user for whom we were able to detect abuse using the stolen OAuth tokens.

In short, these were targeted attacks using OAuth tokens that effectively gives the attacker to ability to do a complete account takeover. Which is of course bad.

Yariv Shivek, VP of Product, Neosec had this comment on this news from GitHub:

“OAuth tokens and API keys are often stolen, leading to complete account takeover. When account takeover is for an admin account, the problems inside a business are exacerbated. But having your customers or business partners compromised and their identities assumed is a problem that is hard to detect. How can you know who’s using a token they present to your API? In this OAuth world, do you really know who’s connecting to which API on behalf of whom? Understanding the context of use of these APIs is fast becoming an essential requirement for protecting your business.”

GitHub has posted this blog post on the Best practices to keep your projects secure. But companies or individuals should do more to ensure that their GitHub repositories are actually secure. Because if they don’t, they could be the next target of a threat actor.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: