GitHub has revealed details of a security breach that has allowed an unknown attacker to download data from dozens of private code repositories.
The attacker authenticated to the GitHub API using stolen OAuth user tokens issued to two third-party OAuth integrators – Heroku and Travis-CI.
In most cases where the affected Heroku or Travis CI OAuth apps were authorized in the users’ GitHub accounts, the attacker listed all the user’s organizations before selecting targets.
More specifically, the attacker listed the private repositories for user accounts of interest, and then proceeded to clone some of those private repositories.
“Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps,” GitHub warned in a blog post.
“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot [attacks] into other infrastructure.”
Timeline
GitHub discovered the breach on April 12, when the attacker accessed GitHub’s npm production infrastructure, and disclosed the breach three days later.
Along with Heroku and Travis CI, GitHub has revoked all OAuth tokens to block further access, while still advising affected organizations to keep monitoring for suspicious activity.
Travis CI says it doesn’t believe that the incident poses a risk to customers. “The hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application.
“This key does not provide access to any Travis CI customer repositories or any Travis CI customer data,” it said in a blog post.
“We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access.”
Heroku is advising customers who see evidence of exfiltration in their logs to check repositories for any credentials that may have been compromised, and mitigate access by disabling accounts and rotating credentials as needed. It also recommends revoking or rotating any exposed credentials.
“For the protection of our customers, we will not be reconnecting to GitHub until we are certain that we can do so safely, which may take some time,” it warned. “We recommend that customers use alternate methods rather than waiting for us to restore this integration.”
Source: https://portswigger.net/daily-swig/github-offers-post-mortem-on-recent-security-breach
