In early April 2022, news broke out that various users of Microsoft’s GitHub platform were affected. unauthorized access to their private source code.
GitHib has now updated the incident report, saying: “In the process of sending final estimate notifications to GitHub.com customers who have been approved for Heroku or Travis-CI OAuth app integration in their GitHub account.”
The good news is that GitHub itself hasn’t been compromised, so it’s not a common concern for all GitHub users.
The bad news is that this kind of indirect intrusion is hard to predict.
If you’ve never used GitHub, it’s a cloud-based source code control system best known for hosting public repositories of many open source software projects.
The source code control system not only makes the latest version of the software available for download, but also keeps a continuous record of all recent changes and the reasons for the changes (and, if necessary, why they were later rejected).
Source control systems usually also provide a historical listing of official releases, tools for supporting and maintaining different release versions, and online forums for reporting bugs and suggesting changes.
You’ve probably heard of jargon. pull request, represents a potential code update and a proposed change for which contributors provide justification for it. Of course, for the proposer, it is essentially a push request, which aims to inject new code into the system. When approved by the project team, the code is pullAlternatively, they will be merged and integrated into the codebase and become an official part of the project.
Source code control provides a formal history of changes to your software project, making it much easier to spot new bugs because each change can be individually reviewed and retested.
It also allows developers scattered across the globe to collaborate efficiently without accidentally trampling on each other’s proposed updates.
An example of a popular open source project hosted on GitHub is a cryptographic library. OpenSSLMicrosoft’s own scripting language powershelland privacy-focused alternative browsers brave.
However, not all GitHub projects are public open source code repositories.
Many organizations use cloud-based tools like GitHub to host private, private projects that they don’t want to be made public.
For example, many startups don’t want to let a potential competitor know they’re working on Project X or even experimenting in Field Y.
Incumbent software companies may have legacy products that contain algorithms and other intellectual property that prevents them from being easily duplicated by competitors.
What’s wrong?
Initial investigations showed that compromised organizations had one of two things in common. Heroku or Travis-CIensign Continuous Integration (CI) system.
Many software development teams these days agile or DevOps draw close.
Coders don’t come together very often to combine collective updates into full test builds.
Instead, they use an automated system that regularly and frequently pumps out all recent changes, and then automatically rebuilds and retests them, perhaps several times a day.
The idea is that the sooner each proposed change is tried, the sooner easily detectable defects are found.
This in turn means that you can quickly investigate newly introduced bugs before other parts of your project get entangled with new code, so fewer changes need to be considered when trying to figure out what went wrong.
Even better, code changes that break the build process itself are seldom exposed immediately, reaching the point that the project can’t be rebuilt, let alone retested.
As you can imagine, automated CI systems don’t have real developers who can enter passwords and 2FA codes every time they log on to a source code control system to clone a newer version of a project.
… so they are called authentication token It can be injected into network traffic to prove access.
These authentication tokens usually act as a kind of medium-term “sub-password” that allows automated software tools to perform a predetermined set of actions by granting download access to all code and uploading bug reports. However, it does not allow you to approve code changes.
In fact, even if you weren’t a programmer, you would have used a system like this yourself if you had authorized a third-party toolkit to interact with your social media accounts.
For example, if you are a Hootsuite user, you may have used your password and 2FA code to generate an access token that allows the Hootsuite system to browse social media accounts on your behalf.
You may have given your app or similar app the ability to peek into everything that comes into your social media account, and even the ability to tweet in your name or post on Facebook.
So, if a cybercriminal can access stored secrets used by one of the pre-approved apps or implant malware on your computer or network to spy on network traffic and sniff the authentication tokens in transit…
…these tokens can be used by attackers to intervene in online accounts or sold to other scammers for similar nefarious purposes.
According to GitHub, what is that In this source code theft incident, the attacker would:
- Get a GitHub Auth Token Uploaded to Heroku or Travis-CI account X
- List all sub-accounts with accessible projects As a token issued by X
- Choose a project that sounds interesting from that list.
- Enumeration of code repositories sounds interesting within that project.
- Code duplication (i.e. stealing)This can lead to potentially damaging data breaches.
In other words, even though the victim’s GitHub account did not exist right away that account is indirectly It has been compromised by exposing what the victim might call a “sub-password” that has been delegated to the automation tools Heroku or Travis-CI.
It would be like an intruder hacking into a system that generates ID cards to gain access to an office building by stealing active access cards already issued to authorized employees, rather than creating new passes of their own.
What to do?
An indirect data breach like this is a form of supply chain breach that is not attacked directly, but instead as part of an operational process that is delegated to others.
Here are some tips to protect against these types of incidents or to respond immediately if found.
- Periodically review any third-party access authorizations you have performed., any app related to any online service you use. You may have more than you think, including webmail, teleconferencing, web hosting, source code control, social media, DNS, content management, and cloud services like CRM. Social media sites like Twitter and Facebook have dashboard pages where you can list all your approved third-party apps. Do not assume that if you uninstall an app that has access to your account, your access is revoked at the same time.
- Make sure you know how to revoke third-party authentication tokens for any service you use. The authentication service OAuth related to this case is How to revoke access. The social media dashboard page mentioned in tip 1, where you can list who has access, usually includes a button to revoke that access immediately.
- Be prepared for the worst. Know what to do and whom to contact in the event of a cyberattack. This is especially true when local laws require disclosure of data breaches.
Remember, preparing for a cyberattack is not something you expect to fail.
Indeed, regular and purposeful cybersecurity practices can help improve resiliency by exposing gaps in policies and procedures and disclosing access that was sought to be withdrawn but never revoked.
If you don’t have the experience or time to maintain your own continuous threat response, consider partnering with these services: Sophos Managed Threat Response. We help IT take care of the activities it struggles to keep up with with all the other everyday needs you throw away on your plate.
Not enough time or staff? Learn more about Sophos Managed Threat Response.
Sophos MTR – expert-led response ▶
24/7 threat hunting, detection and response ▶
.