An unknown threat actor used compromised OAuth tokens to download data from the private repositories of “dozens of organizations,” according to GitHub.
The tokens had been issued to two third-party OAuth integrators, hosted integration platform Travis CI and PaaS provider Heroku, a Salesforce subsidiary. In a Friday blog post, GitHub CSO Mike Hanley revealed the company began its investigation on April 12 and disclosed the attack to Heroku and Travis CI on April 13 and 14.
OAuth, short for Open Authentication, is an account integration technology used across the web as a means of allowing user information to be used across third-party websites in a less intrusive way than directly sharing data.
“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats,” Hanley said in the blog post. “Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps.”
GitHub subsidiary npm was among the organizations to have its repositories accessed. Moreover, at least some of accessed repositories accessed by the attacker were hosted on GitHub. The company said the attacker gained unauthorized access to private repositories in the npm organization on GitHub.com and downloaded them. In addition, Hanley said the attacker gained “potential access” to the npm packages in AWS S3 storage.
“At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials,” he said in the blog post. “We are still working to understand whether the attacker viewed or downloaded private packages.”
Heroku likewise published a security advisory Friday detailing the current status of its own investigation. The cloud company said a threat actor downloaded “a subset of Heroku’s GitHub private repositories, including some source code” on April 9. On April 16, three days after GitHub reported the token theft to Heroku, Salesforce completed its revocation of all OAuth token from Heroku Dashboard’s GitHub integration.
“These actions, based on our current understanding of the issue, should prevent unauthorized access to your GitHub repositories,” Heroku’s update read.
Regarding whether customer data was stolen, Heroku said the tokens “could provide the threat actor access to customer GitHub repos, but not customer Heroku accounts. With the access to customer OAuth tokens, the threat actor may have read and write access to customer GitHub repositories connected to Heroku. Given the incident is still active, please review the recommended actions provided below.”
Heroku recommended customers disconnect the Heroku platform from their GitHub repositories and check for evidence of exfiltration in their logs.
Salesforce declined to answer SearchSecurity’s questions directly. A spokesperson wrote in an email that Salesforce was aware of the “reported issue with Heroku’s GitHub repositories” and had “proactively engaged” with its customers to address it. In addition, the spokesperson wrote, “If we determine that any customer is affected, we will update them with further guidance without undue delay.”
Travis CI did not respond to SearchSecurity’s request for comment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.
