Intrusions Abused GitHub and GitLab OAuth Tokens From Git Analytics Firm, Waydev

The attack timeline

• The company confirmed that attackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.
• The hackers reportedly performed multiple attacks over an AJAX call, performed exploratory activities, and launched automated scanners between June 10, 2020, and July 03, 2020. The company patched the exploited vulnerability on the same day.
• On July 6, 2020, the company observed that the attacker might have cloned repositories from the users who connected via GitHub OAuth. It appeared that the hackers had gained access to a small subset of its customer codebases.

Result of the attack

• The two companies loan app, Dave[.]com, and software testing service, Flood[.]io, have blamed the Waydev for their security breaches.
• Dave disclosed about the data breach, that compromised details of 7.5 million users, only after hackers leaked the data on a public forum.

The company’s take

Recent OAuth incidents and warnings

• In July 2020, Microsoft had warned that consent phishing scams could trick customers into providing malicious Office 365 OAuth applications access to their Office 365 accounts.
• Microsoft took down the domains used by hackers that baited victims—using COVID-19-related lures—into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps.