Cybersecurity experts have identified a new phishing strategy targeting software developers by exploiting GitHub’s notification system. This method involves sending deceptive OAuth app authorization requests under the guise of legitimate GitHub alerts, thereby posing significant risks to developers.
Exploiting GitHub’s Trusted System
The attack leverages GitHub’s reliable infrastructure, making it challenging for developers to differentiate between genuine notifications and phishing attempts. Developers, who manage critical code and systems, are prime targets for cybercriminals seeking unauthorized access to source codes and private repositories.
By compromising developers’ accounts, attackers can inject harmful code into software supply chains, impacting large-scale projects like Axios and LiteLLM, which witness over 100 million downloads weekly. This highlights the severe implications of such security breaches.
Unmasking the Phishing Technique
Atsika researchers discovered this phishing campaign while analyzing less common initial access strategies on GitHub. Unlike conventional Attacker-in-The-Middle tactics, this method uses GitHub’s issue notification system to send phishing content directly to developers’ inboxes via GitHub’s no-reply address.
Attackers create fake GitHub accounts mimicking official security entities and develop OAuth apps, such as a proof-of-concept app named “MalGitApp.” These apps request extensive permissions, potentially granting attackers significant control over a victim’s GitHub account.
Understanding the TOCTOU Vulnerability
A key component of this attack is a Time-of-Check Time-of-Use (TOCTOU) vulnerability within GitHub’s notification system. Attackers can manipulate the content of an issue notification right after it is sent, providing a polished phishing message while the original issue appears blank or innocuous on the platform.
To further evade detection, attackers employ link shorteners to mask phishing URLs and create account names that resemble official GitHub notifications, enhancing their credibility.
Protective Measures for Developers
Developers and organizations can mitigate these risks by thoroughly reviewing the permissions requested by OAuth applications and being cautious of unexpected authorization requests. Regular audits of authorized apps and restricting repository interactions are also crucial steps.
Enabling GitHub security alerts and monitoring access token activities can help detect unauthorized uses early. Developers should be wary of unsolicited emails requesting full repository access, as legitimate security tools will never make such requests.
Stay informed by following us on Google News, LinkedIn, and X for real-time updates. Set CSN as a preferred source in Google to ensure you receive comprehensive cybersecurity news.
