GitHub has revealed that attackers have abused OAuth user tokens issued to Heroku and Travis-CI, popular third-party OAuth integrators.
GitHub revealed on Friday about receiving evidence of an unidentified adversary exploiting stolen OAuth user tokens issued to Heroku and Travis-CI to download private data from dozens of organizations illegally.
The impacted organizations include NPM, stated Mike Hanley, Chief Security Officer of GitHub. GitHub users and GitHub itself used the applications maintained by the targeted integrators. The campaign was first detected on 12 April 2022.
GitHub Wasn’t Compromised
Mike Hanley claims that the threat actor didn’t obtain these tokens by compromising GitHub.
“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats.”Mike Hanley
Instead, the threat actor’s behavior suggests that they might have mined the downloaded private repository contents that the stolen OAuth token could access for secrets they could use to pivot into other infrastructure.
What are OAuth Access Tokens?
OAuth is access tokens used by different services and applications for authorizing access to user data and communicating with each other without sharing credentials. This is a standard method to pass authorization from one single sign-on/SSO service to another application. The list of impacted OAuth applications, as of 15 April 2022, include the following:
- Travis CI (ID: 9216)
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831), and
The Microsoft-owned GitHub noted that it identified the attack campaign after encountering unauthorized access to its NPM production ecosystem via a compromised AWS API key. It was supposedly obtained by downloading a set of unspecified private NPM repositories that exploited the stolen OAuth tokens. GitHub revoked the access tokens linked to the impacted apps.
GitHub further noted that there’s no indication that the attacker has modified any package or gained access to any user credentials or user account data. The company is currently investigating whether the attacker just viewed or downloaded private packages. Furthermore, the company said it would notify all the impacted victim users/organizations over the next 72 hours.