Last updated on July 28th, 2022 at 12:44 am
A cloud-based storage service, GitHub, has announced that threat actors manipulate 0Auth user access tokens to commit data breaches from enterprise GitHub repos. With the detection of transactions by threat actors on April 12, 2022, it has been observed that the data of many organizations, including NPM, were seized using 0Auth access tokens belonging to Heroku and Travis-CI applications.
OAuth access tokens are often used by different services and applications to authorize access to designated parts of user data and communicate with each other without sharing credentials. This is based on the SSO (Single Sign-on) architecture, allowing single login to authorize other applications.
Github authorities have issued a statement stating that 0Auth access tokens will not be obtained by a data breach on GitHub and that these tokens are not stored directly in a usable format. Also has been detected by GitHub security researchers that unauthorized access to the NPM’s development environment has been made through a compromised AWS API key. It is estimated that the threat actors obtained the API key using the 0Auth access tokens captured. Github took action following an increase in activities using 0Auth access tokens, preventing the use of such tokens.
According to Github’s statement, some Github repositories have been compromised, but no changes have been made to the packages, and no user data or credentials have been accessed. Github has launched a detailed investigation to identify all users and organizations affected by the breach. It is recommended that GitHub users who have the potential to be affected by this breach regularly review OAuth applications that they are authorized or have access to their organization and periodically follow the security logs of the relevant organization to identify potential anomaly activities.