> On December 29, 2022, we were alerted to suspicious GitHub OAuth activity by one of our customers. This notification kicked off a deeper review by CircleCI’s security team with GitHub.
> ...
> Review GitHub audit log files for unexpected commands such as ... repo.download_zip
I don't know what you'd get from GitHub other than source code but the CircleCI blog post explicitly describes the attacker downloading entire repos as a .zip
GitHub OAuth access credentials could be used to compromise OAuth-authenticated apps. And GitHub personal access tokens with too broad of permissions could download pretty much anything, including any secrets stored in GitHub Actions.
But getting the source code is pretty bad by itself. Not from an intellectual property standpoint, but because I've never seen a company whose developers didn't commit live credentials into their source code.
If they had access to GitHub Actions creds, I'm assuming the attackers could also push releases. I wonder how much malware is now in the wild because of this breach
> I've never seen a company whose developers didn't commit live credentials into their source code.
I don’t do that, but I’m pretty pathological about stuff like that.
I learned it from the company I used to work for, who were paranoid to the point of lunacy, about Chinese hackers (they were breached once, and took the lesson to extremes).
I don’t think they are an outlier. I’ll bet lots of companies are just as tinfoil.
It’s a downright unbearable development environment, though.
Github secrets are encrypted, right? I didn't think there was any way to access them without running a github actions job that deliberately uploads them somewhere else (or echos them into the log with rot13/base64 or something else).
The article is referring to how the attacker could use the stolen github tokens to download someone's source code. The source code isn't coming from CircleCI
CircleCI has listed literally every kind of credential used by its users as vulnerable. This includes deploy keys that are used to download source code. Anyone who has access to customer data, and a deploy key, can just check out the source code, instantly.
The extent to which CircleCI has gone to eliminate all threats is... scary. They've gotten GitHub to invalidate any GitHub access tokens used by a CircleCI customer. They've gotten AWS to e-mail AWS customers if one of their access keys was stored in CircleCI. It's a complete and total compromise of literally every customer secret in CircleCI. I expect this will be the biggest hack of 2023... and it's still January.
So, yeah, I'm pretty sure customer source code is up for grabs.
