When GitHub released Codespaces last year it was touted as their best release since GitHub Actions. If you’re using Codespaces or thinking about it,...
3 min read
Roy Blit : Apr 18, 2022 2:02:36 PM
On Friday April 15, GitHub Security announced it had detected the compromise of OAuth access tokens issued to Heroku and Travis-CI integrations to download data from dozens of organizations. Many private repositories had been compromised, including those belonging to npm and GitHub itself.
It's certainly not the first time OAuth access tokens have been stolen and abused for intrusions. For instance, on July 7, 2020, hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev. Third party apps and plugins can be leveraged by adversaries as a software supply chain attack vector and should always be treated with caution.
This post will cover the details behind this attack, its potential risks, and what organizations can do to protect themselves.
On April 12, GitHub Security identified unauthorized access to their NPM production infrastructure using a compromised AWS API key. After further investigation, they concluded that a malicious actor had obtained this key when downloading a set of private npm repositories using a stolen OAuth token from either Heroku or Travis-CI. Both serve as 3rd party OAuth applications and provide various CI/CD capabilities by integrating with SCMs such as GitHub, GitLab and Bitbucket. The applications maintained by these integrators were used by GitHub users, including GitHub itself.
The compromised OAuth user tokens were stolen and abused to download private repositories belonging to dozens of victim organizations using Heroku and Travis-CI-maintained OAuth applications. The suspicion is that the actors were, and possibly still are, scanning the downloaded private repository contents (to which the stolen OAuth token had access) for secrets that could be used to expand into other infrastructure inside the organization.
On April 13 and 14, GitHub revoked access tokens associated with GitHub and npm’s internal use of these compromised applications. Moreover, they disclosed their findings to Heroku and Travis-CI and requested that they initiate their own security investigations, revoke all OAuth access tokens associated with the affected applications, and begin work to notify their own users.
Since an authorized OAuth App has access to all of its user's or organization owner's accessible resources, a compromised OAuth app could lead to a severe software supply chain attack.
For example, say you’re using Travis-CI as a build platform within your organization. This actually means that Travis-CI has an OAuth access token with all of the permissions that the user who issued the Travis-CI integration has. So if Travis-CI’s infrastructure gets compromised and an attacker manages to obtain that token (e.g., by gaining access to the database where they keep customers’ tokens) – all the repositories under the integrating user account will be subject to the attacker’s will. For example, the attacker could download the git repositories, scan for sensitive secrets, laterally move to additional organization resources and cloud services, or inject malicious payloads to the organization repositories and artifacts to initiate a supply chain attack.
GitHub mentioned it is working to identify and notify all known-affected victims and organizations discovered through their analysis across GitHub.com. But if you want to be confident, it is advised you do the following:
It’s important to note that it is possible that GitHub users were not the only victims of this attack. If the compromised Heroku or Travis-CI tokens also contained OAuth applications of other services, such as GitLab, the assets of those services might be compromised as well. So we recommend users of all SCMs that can integrate with Heroku and Travis-CI run their appropriate validations.
To keep yourself protected from this kind of attacks, we recommend the following security measures:
The principles of securing your SDLC pipeline may appear straightforward, but in practice it gets complicated and time-consuming quickly, especially as your organization scales. Legit Security aims to make the process of securing your SDLC much easier, and we’ve developed a SaaS-based platform to do just that. We can help you make sure the aforementioned mitigation steps are covered by your SCM, be it GitHub, GitLab, Bitbucket and more. Contact us if you’d like to learn more.
To learn more best practices in software supply chain security, check out our guide: Best Practices to Secure Your Software Supply Chains.
We’re pleased to announce the launch of Legitify – an open-source security tool for GitHub users to automatically discover and remediate insecure...
In this blog post, we’ll explore a bug we’ve found in a popular third-party action and how in some cases it could lead to your SDLC pipeline being...