Stolen OAuth tokens lead to 'dozens' of breached GitHub repos

An unknown threat actor used compromised OAuth tokens to download data from the private repositories of "dozens of organizations," according to GitHub.

The tokens had been issued to two third-party OAuth integrators, hosted integration platform Travis CI and PaaS provider Heroku, a Salesforce subsidiary. In a Friday blog post, GitHub CSO Mike Hanley revealed the company began its investigation on April 12 and disclosed the attack to Heroku and Travis CI on April 13 and 14.

OAuth, short for Open Authentication, is an account integration technology used across the web as a means of allowing user information to be used across third-party websites in a less intrusive way than directly sharing data.

"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats," Hanley said in the blog post. "Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."

GitHub subsidiary npm was among the organizations to have its repositories accessed. Moreover, at least some of accessed repositories accessed by the attacker were hosted on GitHub. The company said the attacker gained unauthorized access to private repositories in the npm organization on GitHub.com and downloaded them. In addition, Hanley said the attacker gained "potential access" to the npm packages in AWS S3 storage.

"At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials," he said in the blog post. "We are still working to understand whether the attacker viewed or downloaded private packages."

Heroku likewise published a security advisory Friday detailing the current status of its own investigation. The cloud company said a threat actor downloaded "a subset of Heroku's GitHub private repositories, including some source code" on April 9. On April 16, three days after GitHub reported the token theft to Heroku, Salesforce completed its revocation of all OAuth token from Heroku Dashboard's GitHub integration.

"These actions, based on our current understanding of the issue, should prevent unauthorized access to your GitHub repositories," Heroku's update read.

Regarding whether customer data was stolen, Heroku said the tokens "could provide the threat actor access to customer GitHub repos, but not customer Heroku accounts. With the access to customer OAuth tokens, the threat actor may have read and write access to customer GitHub repositories connected to Heroku. Given the incident is still active, please review the recommended actions provided below."

UPDATE 5/5: After issuing forced passwords resets earlier in the week, Heroku issued a statement Thursday confirming that threat actors used the compromised OAuth token to breach a company database exfiltrate the hashed and salted passwords for customer accounts. "For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed," the statement said. "We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise."

Heroku recommended customers disconnect the Heroku platform from their GitHub repositories and check for evidence of exfiltration in their logs.

Salesforce declined to answer SearchSecurity's questions directly. A spokesperson wrote in an email that Salesforce was aware of the "reported issue with Heroku's GitHub repositories" and had "proactively engaged" with its customers to address it. In addition, the spokesperson wrote, "If we determine that any customer is affected, we will update them with further guidance without undue delay."

Travis CI did not respond to SearchSecurity's request for comment.

UPDATE 4/19: Following publication of this article, a Travis CI spokesperson responded to SearchSecurity's request for comment by sharing a security bulletin posted to the company's Zendesk site.

Derek Wood, director of technical support at Travis CI parent company Idera, wrote Friday that certain Travis CI private customer repositories may have been accessed as a result of the token theft. In response, the company revoked all authentication keys and tokens in order to prevent further access into the company's systems.

In a Monday evening update to the bulletin however, Wood said the OAuth key stolen "does not provide access to any Travis CI customer repositories or any Travis CI customer data."

"We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access," he wrote. "Based on what we have found, we do not believe this is an issue or risk to our customers."

Alexander Culafi is a writer, journalist and podcaster based in Boston.