Hackers Exploit GitHub Notifications to Deploy Malicious OAuth Apps Targeting Developers
In a recent cybersecurity development, researchers have identified a sophisticated phishing campaign that leverages GitHub’s notification system to deceive developers into authorizing malicious OAuth applications. This method exploits GitHub’s trusted infrastructure, making it challenging for victims to discern the fraudulent nature of the alerts.
The Significance of Developer Accounts
Developers hold the keys to the digital kingdom, managing source code, repositories, and automated workflows. Compromising a developer’s account can grant attackers access to critical systems, enabling them to inject malicious code into software supply chains. Recent incidents involving popular projects like Axios and LiteLLM, each boasting over 100 million weekly downloads, underscore the potential damage of such breaches.
Mechanics of the Phishing Attack
Security analysts from Atsika uncovered this campaign while investigating novel initial access techniques targeting GitHub users. Unlike traditional phishing methods that rely on intermediary tactics, this approach exploits GitHub’s issue notification feature. By mentioning a user in an issue description, the attacker triggers an automatic email notification from GitHub’s official no-reply address, delivering the phishing content directly to the developer’s inbox.
Execution of the Attack
The attack is both cost-effective and efficient. An adversary needs only a free GitHub account, a malicious OAuth application, and a hosting server. The process unfolds as follows:
1. Creation of a Deceptive GitHub Account: The attacker sets up a GitHub account impersonating a legitimate security service, complete with a convincing display name and a fabricated repository.
2. Development of a Malicious OAuth Application: An OAuth app, dubbed MalGitApp in the proof-of-concept, is created. This app requests extensive permissions, including full read and write access to public and private repositories, control over GitHub Actions workflows, and access to the user’s email and profile data.
3. Deployment of the Phishing Notification: The attacker posts an issue in the fabricated repository, mentioning the target user. This action triggers GitHub’s notification system to send an email to the developer.
4. Manipulation of the Issue Content: Within seconds, the attacker edits or deletes the issue content. Due to a Time-of-Check Time-of-Use (TOCTOU) vulnerability in GitHub’s notification system, the email reflects the latest version of the issue. Consequently, the developer receives a polished phishing message, while the actual issue appears blank or benign upon inspection.
5. Concealment of the Phishing Link: To evade detection, the attacker uses link shorteners to mask the OAuth authorization URL, as GitHub flags direct OAuth links as suspicious.
6. Authorization of the Malicious App: If the developer clicks the link and approves the OAuth app, the attacker obtains a valid access token. This token allows the adversary to clone repositories, inject backdoors, and manipulate automation workflows, effectively gaining partial control over the victim’s GitHub account.
Exploitation of the TOCTOU Vulnerability
A critical aspect of this attack is the exploitation of a TOCTOU race condition in GitHub’s notification system. By rapidly altering the issue content after mentioning a user, the attacker ensures that the email notification contains the phishing content, while the repository displays a neutral or empty issue. This tactic makes it exceedingly difficult to trace the phishing attempt back to the attacker, as all revisions can be erased.
Implications and Recommendations
This campaign highlights the evolving tactics of cybercriminals targeting developers through trusted platforms. To mitigate such risks, developers and organizations should:
– Exercise Caution with Notifications: Scrutinize unexpected GitHub notifications, especially those prompting OAuth app authorizations.
– Verify OAuth Applications: Before granting permissions, verify the legitimacy of OAuth apps by checking their source and the permissions requested.
– Monitor Repository Activity: Regularly review repository activities for unauthorized changes or suspicious behavior.
– Implement Multi-Factor Authentication (MFA): Enhance account security by enabling MFA to add an extra layer of protection.
– Stay Informed: Keep abreast of emerging threats and vulnerabilities within the developer community to proactively address potential risks.
By adopting these practices, developers can fortify their defenses against sophisticated phishing campaigns that exploit trusted platforms like GitHub.
