Hackers used stolen OAuth access tokens to breach organizations

On Friday, GitHub, an open-source software hosting site, said that it had uncovered evidence of an unknown attacker illegally acquiring sensitive data from several organizations using stolen OAuth user credentials.

“An attacker utilized stolen OAuth user credentials given to two third-party OAuth integrators, Heroku and Travis-CI, to access data from a variety of organizations, including NPM,” according to GitHub’s Mike Hanley.

More than 73 million developers work together on GitHub to create the future of programming.

Contributing to open source is a terrific way to get involved.

OAuth access tokens are used by applications and services to gain access to specific pieces of a user’s data and to interact with one another without disclosing the user’s genuine credentials. 

As of April 15, 2022, the following OAuth apps are impacted: 

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831), and
  • Travis CI (ID: 9216)

According to GitHub, the OAuth tokens were not obtained through a breach of the business’s systems because the company would not preserve them in their original, usable versions.

GitHub says the threat actor may be assessing the downloaded private repository contents from target organizations using these third-party OAuth applications in order to gather more secrets that may be used to transfer to other parts of their infrastructure. 

On April 12, the Microsoft-owned service discovered early signs of the assault effort when unauthorized access to its NPM production environment was gained through a hacked AWS API key.

The AWS API key is thought to of been acquired by using the stolen OAuth token from one of the two impacted OAuth applications to download a series of unnamed private NPM repositories.

The access tokens linked with the impacted apps have subsequently been withdrawn, according to GitHub. 

According to GitHub, “we think the attacker did not change any packages or get access to any user account data or passwords at this time,” adding that it is presently investigating whether the attacker viewed or downloaded private packages.”

GitHub is seeking to identify and notify any known-affected victim users and organizations that may be impacted as a result of this event during the next 72 hours.

Node-ipc Sabotaged To Condemn Russia’s Invasion of Ukraine