HQ/EMEAFind out how we can help your business
A large phishing campaign that poses as a fake “Security Alert” on GitHub has compromised at least 12,000 repositories. The campaign tries to trick developers into approving a malicious OAuth application that allows attackers to acquire complete control over accounts and code.
According to reports, the phishing security alert email used in the operation states that a strange access attempt was discovered on a targeted GitHub account.
Researchers who discovered the bogus security notice revealed that it informs GitHub users that their accounts have been compromised and that they should update their passwords, check and manage active sessions, and enable 2FA to protect their accounts.
However, all of the URLs for these recommendations redirect targets to a GitHub authorisation page for a “gitsecurityapp” OAuth app that demands access to extremely risky permissions that could grant an attacker complete access to a user’s account and repositories.
The phishing campaign that targets GitHub users can result in unauthorised access.
The phishing campaign’s requested permissions provide comprehensive access to many GitHub services. The repo permission grants complete access to public and private repositories, whereas the user permission permits reading and writing to the user profile. Read:org allows users to view organisation, project, and team memberships.
In addition, the read and write:discussion permissions allow you to read and contribute to discussions. The gist permission grants access to GitHub gists, whereas delete_repo gives the power to remove repositories.
Furthermore, workflow permissions (workflows, workflow, write:workflow, read:workflow, update:workflow) provide you complete control over your GitHub Actions workflows, including reading, updating, and executing.
If a user authorises the malicious OAuth app, an access token is generated and transmitted to the app’s callback URL, a collection of web pages hosted on Render.
The phishing campaign started earlier this month and is still ongoing. As of now, nearly 12,000 repositories have been targeted by the attack. However, the number changes, indicating that GitHub is most likely reacting to the attack.
Users who were victims of this phishing attack and unintentionally granted authorisation to the rogue OAuth app should immediately remove its access.
