Attackers Use Stolen OAuth App Token To Breach Dozens Of Organizations

Share post:

GitHub has confirmed a security breach that saw an attacker use stolen OAuth app tokens to steal private repositories from dozens of organizations.

The attack process involves authenticating the attacker authenticating to the GitHub API with the stolen oAuth tokens issues to Heroku and Travis CI, the attacker listing all of the user’s organizations, and the attacker selectively selects targets based on the organizations listed.

The attacker listed the private repositories for user accounts of interest, and the attacker then proceeded to clone some of those private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub said.

GitHub also shared guidelines that can assist customers in investigating logs for data exfiltration or malicious activity.

This includes checking all private repositories for secrets and credentials stored in them, checking oAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations.

Others include checking their account activity, personal access tokens, oAuth apps, and SSH keys for activity or changes that may have come from the attacker.

The sources for this piece include an article in BleepingComputer.



Related articles

Cyber Security Today, March 22, 2023 – ChatGPT4 is out, poorly-protected Linux servers are exploited, and more

ChatGPT4 is out, poorly-protected Linux servers are exploited, and more. Welcome to Cyber Security Today. It’s Wednesday, March 22nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S. The new version of ChatGPT has been released. But if you were hoping that version 4 has made this tool safer

Only 9 per cent of Canadian firms are cyber mature: Cisco report

Only 15 per cent of companies around the world would have a mature cyber readiness, according to survey

Ferrari notifies customers of ransom demand

Exclusive car maker says some client contact information exposed in cy

Government backs down on document demand from Google, Facebook

Change meets criticism that demand for external communications is an invasion

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways