GitHub Security on Friday reported that it began an investigation last week that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators to download data from dozens of organizations, including npm.
In a blog post, GitHub Security said the two OAuth integrators were Heroku and Travis-CI. The applications maintained by the OAuth integrators were used by GitHub users, including GitHub itself. GitHub Security said it does not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats.
However, looking across the GitHub platform, GitHub Security said it has “high confidence” that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. GitHub said the actors may be mining the downloaded private repository contents to which the stolen OAuth token had access for secrets that could be used to move laterally to other infrastructure.
OAuth tokens are a common method for automating cloud services such as code repositories and DevOps pipelines, said Ray Kelly, a Fellow at NTT Application Security. Kelly said these tokens are considered secrets for a good reason and are often times “masked” with stars or not shown at all to help protect connected business services.
“If a token is compromised, in this case a GitHub token, a malicious actor can steal corporate IP or modify source code to initiate a supply chain attack that could spread malware or steal PII from unsuspecting customers," Kellys said.
Casey Ellis, founder and CTO at Bugcrowd, said the cloud has brought the industry a huge range of security improvements, but the convenience has a hidden downside. Ellis said the ease of use the cloud offers also means it’s easier to make a security oversight, like failing to audit, monitor, or expire OAuth keys.
“When OAuth keys like the ones used in this attack can’t be stolen from a database or poorly-permissioned repository, they are often gleaned from the client-side using malware or browser-based attacks, then collected and aggregated by Initial Access Brokers (IABs), and on-sold to those who need to use them for a specific attack,” Ellis said. “I suspect that is what has happened here, and the important lesson is that this type of layered-threat is a present and active risk for anything.”