Stolen OAuth tokens used to download data from dozens of organizations, GitHub warns

GitHub reported that threat actors used stolen OAuth user tokens to exfiltrate private data from several organizations.

GitHub uncovered threat actors using stolen OAuth user tokens to gain access to their repositories and download private data from several organizations.

Threat actors abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. GitHub excludes that the attacker obtained these tokens via a compromise of GitHub or its systems, the company explained that the stolen tokens used to access the repositories are not stored by GitHub in their original, usable formats. 

On April 12, the company launched an investigation into a series of unauthorized access to data stored in repositories of dozens of organizations. The experts first detected the intrusion on April 12 when the company’s security team identified unauthorized access to their npm production infrastructure using a compromised AWS API key.

The threat actors allegedly obtained the AWS API key by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub revoked the access tokens associated with the affected apps.

“On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.” reads the post published by the company.

Threat actors may are harvesting sensitive data from private repositories using stolen OAuth token, known-affected OAuth applications as of April 15 are:

• Heroku Dashboard (ID: 145909)
• Heroku Dashboard (ID: 628778)
• Heroku Dashboard – Preview (ID: 313468)
• Heroku Dashboard – Classic (ID: 363831)
• Travis CI (ID: 9216)

“At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages. npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack.” states the company. “Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”

The Microsoft-owned firm is still investigating the compromise notifying affected organizations.

“GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com.” concludes the company. “These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, OAuth)

[adrotate banner=”5″]

[adrotate banner=”13″]