GitHub Says Hackers Infiltrated Dozens of Organizations Using Stolen OAuth Access Tokens

Cloud-based repository hosting service GitHub revealed on Friday that it discovered evidence of an unnamed adversary taking advantage of stolen OAuth user tokens to download unauthorized personal data from a number of organizations.

“An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.” , GitHub’s Mike Hanley revealed in a report.

OAuth access tokens are typically used by applications and services to allow access to specific parts of a user’s data and to communicate with each other, without the need to share actual credentials. This is one of the most common methods used to transfer authorization from one single sign-on (SSO) service to another application.

As of April 15, 2022, the list of affected OAuth applications is as follows:

Heroku Dashboard (ID: 145909) Heroku Dashboard (ID: 628778) Heroku Dashboard – Preview (ID: 313468) Heroku Dashboard – Classic (ID: 363831) and Travis CI (ID: 9216)

The company said OAuth token not obtained through a breach of GitHub or its systems, the company said, as it does not store tokens in their original, usable format.

Additionally, GitHub warns that the threat actor may be parsing downloaded private repository content from victim entities using these third-party OAuth clients to collect additional information. secrets that can then be leveraged to pivot to other parts of their infrastructure.

Platform by Microsoft The owners note that they found initial evidence of the attack campaign on April 12 when it encountered unauthorized access to an NPM production environment using a compromised AWS API key.

This AWS API key is believed to have been obtained by downloading an unknown set of private NPM repositories using stolen OAuth tokens from one of the two affected OAuth applications. GitHub says it has since revoked the access tokens associated with the affected apps.

“At this time, we assess that the attacker did not modify any packages or gain access to any user account data or login information,” the company said. added that they are still investigating to determine if the attacker viewed or downloaded the private packages.

GitHub also said it is currently working to identify and notify all known affected users and victim organizations that may be impacted by this issue over the next 72 hours.

.