GRC Viewpoint

GitHub Provides More Information on a Recent Security Breach, Assures Not a Huge Risk for Customers

The recent security breach at GitHub involved the attacker authenticating the company’s API using the stolen QAuth user tokens. These tokens are issued to the two third-party QAuth Integrators, namely TravIS-Cl and Heroku. In most of the incidents, the intruder listed all the user’s enterprises prior to choosing targets.

Specifically, during the attack, the attacker listed private repositories for selected user accounts before proceeding to clone some of the remote repositories.

The breach was identified by GitHub on April 2nd week, 2022. What led to the discovery was the attacker accessing GitHub’s npm production infrastructure. The breach was made public after three days.

“Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps,” explains GitHub.

Also-Read: Russian Attack Aftermath: The U.S Is Taking Proactive Measures to Defend Intrusion 

It seems the attacker compromised a Heroku Service to gain access to a private application, the OAuth key. The key was used to combine Travis Cl and Heroku application.

However, there is no considerable threat to the customers as the key doesn’t provide access to any Travis CI customer repositories or customer data. This is the assurance by GitHub following a thorough investigation of the incident.

“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents. In addition, the stolen OAuth token had access to secrets that could be used to pivot [attacks] into other infrastructure, adds the firm.

Related Articles

Latest Articles