Hackers Stole GitHub and GitLab OAuth Tokens From Git Analytics Firm Waydev (zdnet.com) 28
Waydev, an analytics platform used by software companies, has disclosed a security breach that occurred earlier this month. From a report: The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database. Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers' work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores. When users install the app, Waydev receives an OAuth token that it can use to access its customers' GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers. Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens. The hackers then used some of these tokens to pivot to other companies' codebases and gain access to their source code projects.
But but but you can trust them (Score:3)
They said so, and they're popular, so of course you can trust them implicitly! /s
If external hackers were able to access it... (Score:5, Insightful)
It's not really an "internal" database.
Re:If external hackers were able to access it... (Score:5, Informative)
SQL injection is something that should never happen, it is 100% preventable in various different ways.
Re: (Score:2)
Which method, exactly, still allows you access to the database to request or send any information?
Re:If external hackers were able to access it... (Score:5, Informative)
Re: (Score:2)
I you can connect to the database enough to issue such a request, then it is accessible.
Re: (Score:2)
Re: (Score:2)
Indirect access is still access. Such indirect access is often quite poorly secured: the requirements to sanitize inputs are not done, for many reasons.
Re: (Score:2)
Re: (Score:2)
I see you point. But query parameterization is not how you "allow access". It's a means to sanitize access. The distinction is vital.
Sadly, it's often done quite poorly.
Re: (Score:2)
I've worked for 5 companies in the past 13 years, mostly with engineering teams of 4-10 people. At any of them, the idea of writing code such that a user input string was passed, unsanitized and unescaped, to a database would have been laughable.
Properly quoting, escaping, and sanitizing strings is trivial, and built into to most frameworks used for real software development (Spring and Hibernate in the Java world, for instance).
The only r
Re: (Score:1)
One thing that has concerned me, at least under Postgresql, is that popular PG libraries for PHP and C# offer parameterized interfaces that are converted to inline SQL by the library.
Re: (Score:2)
Who would have thunk? (Score:2)
shouldn't... (Score:3)
So your company measures your performance ... (Score:4, Insightful)
I'm *already* not working there
Isn't this supposed to fix stolen passwords? (Score:1)
I've read repeatedly that these access tokens are supposed to "fix" the problem of authenticating apps without giving them your login credentials.
Guess it just presents a different attack vector...
Re: (Score:1)
In many (most?) other cases, you are right, the token is an extra attack vector.
Re:Isn't this supposed to fix stolen passwords? (Score:5, Informative)
It allows you to have separate tokens for each application, so when one is compromised like this, you invalidate that token and any other apps you authorized to access your account are not affected, making cleanup after a breach a lot less hassle. With fine grained access control, it can limit the scope of what is exposed when a token is compromised like this.
Oauth2 is supposed to be secure (Score:3)
Oauth2 alone isn't enough for security - you need IP access control and some kind of dynamic renewal process. They probably stole the access and refresh tokens, which is why they were able to continue accessing the site.
It's strange that the internal systems didn't notice excessive renewal requests, or that the renewal token was already used.
Re: (Score:3)
You also need a stable and verifiable IP address space from which to use the tokens. This has proven very difficult in many environments, and in other environments the process owners are simply unwilling to do the extra work or to allow someone else's automated tool to update the filters preventing access from other addresses.
Question of the day (Score:2)
Has anybody ever asked whether the idea of a "data-driven" application is a good idea?
Everything is executable. Just fill out the right forms, and you can completely reprogram the computer to launch missiles
Re: (Score:2)
so now software from github & gitlab (Score:1)
Re: (Score:2)
Github and gitlab were not hacked, waydev was. If you never authorized waydev to access your github or gitlab account, your account is not compromised.
Lines of code is so easy to game (Score:1)
Re: (Score:2)
Clearly enough programmers are not gaming that particular metric.
Waydev (Score:2)