GitHub, a cloud-based repository hosting service on Friday, revealed that it has found evidence of an unnamed attacker using stolen OAuth user tokens to illegally download personal data from multiple organizations.
“The attackers used stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” GitHub said. Mike Hanley said. Disclosure In the report.
OAuth access tokens are often Already used Apps and services authorize access to certain parts of a user’s data and communicate with each other without sharing actual credentials. This is one of the most common methods used to pass authentication from single sign-on (SSO) Service to another application.
As of April 15, 2022, the list of affected OAuth applications is:
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831), and
- Travis CI (ID: 9216)
OAuth tokens are not said to have been obtained by compromise on GitHub or its system. This is because the token is not stored in its original usable format.
In addition, GitHub has been added that attackers can use these third-party OAuth apps to analyze content in private repositories downloaded from victim entities and pivot to other parts of the infrastructure. I warned that I might be collecting secrets.
A Microsoft-owned platform noted that it discovered early evidence of an attack campaign on April 12 when it encountered unauthorized access to an NPM production environment using a compromised AWS API key.
This AWS API key is believed to have been obtained by downloading an unspecified set of private NPM repositories using an OAuth token stolen from one of the two affected OAuth applications. GitHub states that it has revoked the access token associated with the affected app.
“At this point, we evaluate that the attacker has not modified the package or accessed the data or credentials in the user account,” the company said, indicating whether the attacker viewed or downloaded the private package. We are continuing to investigate to confirm.
GitHub also said it is currently working to identify and notify all victim users and organizations known to be affected that may be affected over the next 72 hours as a result of this incident. I did.