Intrusions Abused GitHub and GitLab OAuth Tokens From Git Analytics Firm, Waydev

By accessing OAuth tokens, attackers can gain unauthorized access to different clone projects or source code, and stealing personal data becomes easier. A San Francisco-based analytics platform provider, Waydev, faced similar trouble, resulting in exposing its customer’s data.

The attack timeline

The first time Waydev learned about the unauthorized use of its GitHub OAuth token was in the early July 2020.
  • The company confirmed that attackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.
  • The hackers reportedly performed multiple attacks over an AJAX call, performed exploratory activities, and launched automated scanners between June 10, 2020, and July 03, 2020. The company patched the exploited vulnerability on the same day.
  • On July 6, 2020, the company observed that the attacker might have cloned repositories from the users who connected via GitHub OAuth. It appeared that the hackers had gained access to a small subset of its customer codebases.

Result of the attack

It has been confirmed that the stolen OAuth tokens have been abused for intrusions into at least two other companies.
  • The two companies loan app, Dave[.]com, and software testing service, Flood[.]io, have blamed the Waydev for their security breaches.
  • Dave disclosed about the data breach, that compromised details of 7.5 million users, only after hackers leaked the data on a public forum.

The company’s take

Waydev have notified the affected users and the US authorities about the security breach and also released Indicators of Compromise (IoCs) associated with the hackers, such as email addresses, IP addresses, and user-agent strings.

Recent OAuth incidents and warnings

  • In July 2020, Microsoft had warned that consent phishing scams could trick customers into providing malicious Office 365 OAuth applications access to their Office 365 accounts.
  • Microsoft took down the domains used by hackers that baited victimsusing COVID-19-related lures—into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps.