Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal client database.
The Salesforce-endemic cloud platform acknowledged the same compromised token was used by attackers to exfiltrate customers’ hashed and salted passwords from “a database.”
Heroku’southward update comes later on BleepingComputer reached out to Salesforce yesterday.
Like many users, we unexpectedly received a countersign reset email from Heroku, even though BleepingComputer does not accept any OAuth integrations that use Heroku apps or GitHub. This indicated that these countersign resets were related to another matter.
Heroku explains forced password resets
This week, Heroku started performing forced password resets for a subset of its user accounts after last month’s security incident, without fully explaining why.
On Tuesday dark, some Heroku users received emails titled “Heroku security notification – resetting user account passwords on May 4, 2022,” advising users that their account passwords were being reset in response to the security incident. The reset would also invalidate all API access tokens and require users to generate new ones, explained the electronic mail.
But, the original security incident being referred to involved threat actors stealing OAuth tokens issued to Heroku and Travis-CI and abusing these to download information from private GitHub repositories belonging to dozens of organizations, including npm.
“On April 12, GitHub Security began an investigation that uncovered show that an attacker driveling stolen OAuth user tokens issued to 2 third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm,” GitHub had previously disclosed.
These tokens had earlier been used by Travis-CI and Heroku OAuth applications to integrate with GitHub to deploy applications.
By stealing these OAuth tokens, threat actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. Annotation, GitHub’s infrastructure, systems, or individual repositories themselves were not impacted past the incident.
But, that nevertheless did not explain why would Heroku need to reset some user account passwords—until now.
Information technology turns out the compromised token for a Heroku car business relationship obtained by threat actors also allowed unauthorized access into Heroku’s internal database of customer accounts:
“Our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts,” explains Heroku in an updated security notification.
“For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We take rotated internal Heroku credentials and put boosted detections in place. We are continuing to investigate the source of the token compromise.”
A YCombinator Hacker News reader alleged that the “database” beingness referred to might exist what was one time called “core-db.”
The reader in question is Craig Kerstiens of PostgreSQL platform CrunchyData, who has previously been affiliated with Heroku.
“The latest written report states almost ‘a database’ which is presumably the internal database,” says Kerstiens.
“I don’t want to speculate too much, but it seems [the attacker] had admission to internal systems. GitHub were the ones that detected and noticed it and reported to Heroku. Do not disagree that in that location should be more clarity, merely best to follow up with Salesforce on that.”
BleepingComputer reached out to Kerstiens who confirmed writing these comments.
Customers call vague disclosure a ‘train wreck’
Heroku’due south original disclosure of the security incident stated that unauthorized access had been related to GitHub repositories belonging to accounts that used Heroku’due south compromised OAuth tokens.
“The compromised tokens could provide the threat role player admission to customer GitHub repos, but not customer Heroku accounts,” the company had previously stated.
But the password reset emails rightfully prompted concerns among customers that Heroku’s investigation may have uncovered farther malicious activity by the threat actors that was non existence disclosed.
Some YCombinator Hacker News readers dubbed the disclosure “a consummate train wreck and a example written report on how not to communicate with your customers.”
In its quest to be more transparent with the community, Heroku has shed some low-cal on the incident, starting a few hours agone.
“We value transparency and sympathise our customers are seeking a deeper understanding of the bear upon of this incident and our response to date,” says Heroku.
The cloud platform further stated that after working with GitHub, threat intel vendors, industry partners and law enforcement during the investigation it had reached a point where more data could be shared without compromising the ongoing investigation:
“On April vii, 2022, a threat player obtained access to a Heroku database and downloaded stored client GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku car account. According to GitHub, the threat actor began enumerating metadata about client repositories with the downloaded OAuth tokens on Apr eight, 2022. On April ix, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.
GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which fourth dimension we began our investigation. As a result, on April 16, 2022, nosotros revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before nosotros re-enable this functionality.”
Past contrast, another third-party integrator, Travis-CI, disclosed on the business day following GitHub’southward original notification that no customer data had been impacted by the incident.
Heroku users are brash to continue monitoring the security notification page for updates related to the incident.
Update, May 5th, 2022 09:xxx AM ET: We confirmed the quoted reader in the slice is indeed Kerstiens.