Attackers Use Stolen OAuth App Token To Breach Dozens Of Organizations

GitHub has confirmed a security breach that saw an attacker use stolen OAuth app tokens to steal private repositories from dozens of organizations.

The attack process involves authenticating the attacker authenticating to the GitHub API with the stolen oAuth tokens issues to Heroku and Travis CI, the attacker listing all of the user’s organizations, and the attacker selectively selects targets based on the organizations listed.

The attacker listed the private repositories for user accounts of interest, and the attacker then proceeded to clone some of those private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub said.

GitHub also shared guidelines that can assist customers in investigating logs for data exfiltration or malicious activity.

This includes checking all private repositories for secrets and credentials stored in them, checking oAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations.

Others include checking their account activity, personal access tokens, oAuth apps, and SSH keys for activity or changes that may have come from the attacker.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web