Widespread Oauth phishing campaign targets GitHub repositories

A widespread phishing campaign has recently targeted nearly 12,000 GitHub repositories with fake “Security Alert” issues. These bogus alerts trick developers into authorizing a malicious OAuth application, ultimately granting attackers full control over their accounts and code.

‍

The campaign was first spotted by cybersecurity researcher Luc4m and I also received notifications in some of personal public repositories. The malicious notices, masquerading as GitHub-generated issues, falsely warn users about “unusual access attempts” from Reykjavik, Iceland, before urging them to secure their accounts.

‍

The phishing issues typically follow this template:

‍

‍

However, these links all point to a GitHub OAuth authorization page for a malicious app named “gitsecurityapp” or “Security App,” rather than any legitimate interface.

‍

The permissions requested by the app are the following:

• repo: Grants full access to repositories, including private repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations,
• collaborators, adding team memberships, deployment statuses, and repository webhooks for repositories and organizations. Also grants ability to manage user projects.
• user: Grants access to read and write a user's profile data.
• read:org: Read-only access to organization membership, organization projects, and team membership.
• read: discussion: Allows read access for team discussions
• write:discussion: Allows read and write access for team discussions.
• gist: Grants write access to gists.
• delete_repo: Grants permission to delete repositories
• workflows: Access to Github workflows
• write:workflow: Read and write access to workflows operations in an organization
• read:workflow: Read access to to workflows operations in an organization
• update:workflow: Permission to update Github workflows

‍

By granting these permissions, attackers can effectively take over your account: they could modify or delete code, create malicious commits, exfiltrate sensitive data, and manage your workflows.

‍

How can Nudge security help ?

With our GitHub connected app, Nudge Security can gain deeper insight into GitHub misconfigurations, app-to-app and integration risks, and take action on your findings, allowing you to further strengthen your SaaS security posture.

‍

Nudge Security allows you to quickly create an inventory of all the app to app integrations in your environment including your GitHub organizations:

‍

‍

For unmanaged GitHub accounts you can still receive notifications when new OAuth apps are added to an account:

‍

‍

And configure notifications for when new OAuth grants or app GitHub apps are added to your environment:

‍

‍

Start your 14-day free trial of Nudge Security to gain insight into your organization's potential GitHub misconfigurations, app-to-app and integration risks, and take immediate action on your findings.