Stolen OAuth Access Tokens Allow Hackers to Target Dozens of Organizations

Hackers have been using stolen OAuth user tokens to download private data from multiple organizations, according to GitHub, a cloud-based repository hosting service.

Hackers downloaded data from numerous organizations, including NPM, by using stolen OAuth user tokens issued to Heroku and Travis-CI, which were used by the two third-party OAuth integrators.

Apps and services frequently use OAuth access tokens to authorize access to specific portions of a user's data and communicate with each other without having to share actual credentials. Passing authorization from a single sign-on (SSO) service to another application is a common practice.

As of April 15, 2022, the following OAuth applications have been impacted:

1. Heroku Dashboard (ID: 145909)
2. Heroku Dashboard (ID: 628778)
3. Heroku Dashboard – Preview (ID: 313468)
4. Heroku Dashboard – Classic (ID: 363831), and
5. Travis CI (ID: 9216)

As the tokens are not stored in their original, usable formats, GitHub claims they were not obtained through a breach of its systems or of GitHub itself.

Third-party OAuth apps may be used to extract additional secrets from victim entities' private repositories, which could then be used in other parts of the victim's infrastructure, GitHub warned.

An early sign of the attack campaign was uncovered on April 12 when Microsoft's NPM production environment was accessed using a compromised AWS API key.

The stolen OAuth token from one of the two affected OAuth applications is thought to have been used to download a set of unspecified private NPM repositories, resulting in the theft of this AWS API key. Affected apps' access tokens have since been revoked, GitHub says.

It's still unclear whether the attacker accessed or downloaded private packages, but "at this point, we believe that the attacker did not modify any packages or gain access to any user account data or credentials," the company said, adding that it is still investigating.

At this time, GitHub says it is working to identify and notify all of the known victim users and organizations who may be affected by this incident over the next 72 hours.