GitHub Warns Private User Data Accessed via OAuth Tokens

On April 18th, GitHub issued this Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators – warning that private repository contents were accessed via third-party OAuth user tokens maintained by Heroku and Travis CI.


API security expert David Stewart, CEO, Approov weighed in on this latest threat:


"API keys and OAuth tokens are prime targets for attackers because they are relatively long lifetime identifiers which can be exploited at scale via scripts, similar to credential stuffing techniques using traditional usernames and passwords.


Organizations must consider worst case scenarios where API keys and OAuth tokens become available to bad actors and ensure that these assets can't be weaponized against their business. A typical way to mitigate such situations is to implement and additional authentication requirement to ensure that these credentials can only be used from genuine remote client instances, eg web apps or mobile apps."


###