GitHub notifies victims of OAuth token theft

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps.

Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.”

GitHub first uncovered signs that a malicious party had stolen OAuth user tokens on 12 April. The company disclosed its findings to Heroku and Travis-CI over the following couple of days.

Here are the OAuth applications that are known to be impacted (as of 15 April 2022):

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

GitHub believes attacks may be ongoing and is disclosing the information so that protective action can be taken.

For its part, the company has revoked tokens associated with GitHub and npm’s internal use of the compromised apps. GitHub also contacted Heroku and Travis-CI to request they revoke all OAuth user tokens associated with the affected apps, launch their own investigations, and notify impacted users.

GitHub says that it will alert any additional victims that are discovered as part of its investigation.

(Photo by Towfiqu barbhuiya on Unsplash)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *