Uncovered: Threat Actors Abused Stolen OAuth User Tokens Issued to Third-Parties

Uncovered: Threat Actors Abused Stolen OAuth User Tokens Issued to Third-Parties

GitHub has uncovered threat actors using stolen OAuth user tokens to gain access to their repositories and download private data from several organizations.

Threat actors abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. GitHub excludes that the attacker obtained these tokens via a compromise of GitHub or its systems, the company explained that the stolen tokens used to access the repositories are not stored by GitHub in their original, usable formats.

On April 12, the company launched an investigation into a series of unauthorized access to data stored in repositories of dozens of organizations. The experts first detected the intrusion on April 12 when the company’s security team identified unauthorized access to their npm production infrastructure using a compromised AWS API key.

The threat actors allegedly obtained the AWS API key by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub revoked the access tokens associated with the affected apps.

“On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.” reads the post published by the company.

Threat actors may are harvesting sensitive data from private repositories using stolen OAuth token, known-affected OAuth applications as of April 15 are:

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

“At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages. npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack.” states the company. “Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”

The Microsoft-owned firm is still investigating the compromise notifying affected organizations.

“GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com.” concludes the company. “These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours.”

 

 Source: