Github notifies victims whose private data was accessed using OAuth tokens


GitHub noted on Monday that it notified all victims of an attack campaign, which involved an unauthorized party downloading content from a private repository by taking advantage of third-party OAuth user tokens managed by Heroku and Travis CI.

“Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations of affected OAuth apps,” the company said. mentioned in an updated article.

The incident originally came to light on April 12 when GitHub discovered signs that a malicious actor had exploited stolen OAuth user tokens issued to Heroku and Travis-CI to download data from dozens of organizations. , including NPM.

cyber security

The Microsoft-owned platform also said it would promptly alert customers if the ongoing investigation identifies additional victims. Additionally, he warned that the adversary could also dig into repositories to find secrets that could be used in other attacks.

Heroku, which took over the GitHub integration following the incident, advised that users have the ability to integrate their application deployments with Git or other version control providers such as GitLab or Bitbucket.

Travis CI, a hosted continuous integration service provider, in a advisory released on Monday, said it had “revoked all authorization keys and tokens preventing further access to our systems.”

cyber security

Stating that no customer data was exposed, the company acknowledged that the attackers breached a Heroku service and accessed the OAuth key of a private application used to integrate the Heroku and Travis CI applications.

But Travis CI reiterated that he found no evidence of intrusion into a private customer repository or that threat actors gained unwarranted access to source code.

“Given the data available to us and out of an abundance of caution, Travis CI has revoked and reissued all private client authentication keys and tokens integrating Travis CI with GitHub to ensure that no client data is compromised” , the company said.


Comments are closed.