The cloud-based warehousing hosting service GitHub revealed on Friday that it discovered evidence of an unnamed adversary who exploited stolen OAuth user tokens for unauthorized downloading of private data from multiple organizations.
“An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” GitHub’s Mike Hanley revealed in a report.
OAuth access tokens are often used by apps and services to authenticate access to specific parts of a user’s data and communicate with each other without having to share the actual credentials. It is one of the most common methods used to transfer authorization from a single log-on service (SSO) to another application.
As of April 15, 2022, the list of affected OAuth applications is as follows –
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Example (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831), and
- Travis CI (ID: 9216)
The OAuth tokens are not said to have been obtained through a breach of GitHub or its systems, the company said, as it does not store tokens in their original, usable formats.
In addition, GitHub warned that the threat actor might analyze the downloaded private repository content from the victim’s devices by using these third-party OAuth apps to gather additional secrets that could then be exploited to pivot to other parts of their infrastructure.
The Microsoft-owned platform noted that it found early evidence of the April 12 attack campaign when it encountered unauthorized access to its NPM production environment using a compromised AWS API key.
This AWS API key is believed to have been obtained by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub said it has since revoked the access tokens associated with the affected apps.
“At this time, we assess that the attacker did not modify any packages or access any user account data or credentials,” the company said, adding that it is still investigating to determine if the attacker saw or downloaded private packages.
GitHub also said it is currently working to identify and notify all known affected victim users and organizations that may be affected as a result of this incident within the next 72 hours.