On April 19, we shared the news regarding the stolen GitHub OAuth tokens and how the attackers utilize them to steal data from private repositories. Now, GitHub is sharing the details of those attacks from its perspective. According to the report, the stolen OAuth app tokens were issued to Heroku and Travis CI platforms.
Step-by-step details
The attacks were first spotted on the 12th of April; the attackers managed to access the private repositories to steal data. Mike Hanley, chief security officer of GitHub has shared the details of this period step by step. Here, this is what happened according to Mike Hanley:
- The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI.
- For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user’s organizations.
- The attacker then selectively chose targets based on the listed organizations.
- The attacker listed the private repositories for user accounts of interest.
- The attacker then proceeded to clone some of those private repositories.
Mike Hanley states that the company believes that those OAuth tokens were not stolen directly from GitHub itself but other sources. He added that the OAuth tokens are not stored in GitHub in their original formats as well.
« This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku »
GitHub will continue directly notifying the affected users which the company was able to detect. Mike also suggests following Heroku’s and Travis CI’s own investigations for future updates. You can follow the links below to check their investigations as well: