Security risks of personal access tokens exposed by attacks on GitHub

Security risks of personal access tokens exposed by attacks on GitHub

Hundreds of GitHub repositories, including some in private organizations, have been compromised and malicious code injected, according to a report from application security company Checkmarx.

The attackers created fake commit messages to make pull requests appear to originate from Dependabot, a GitHub service that inspects code for vulnerabilities in dependencies and generates automatic updates to fix them by updating to the latest version. The payload was to send any project secrets to a server controlled by the attacker, via a new GitHub Action, and to add password-stealing JavaScript code to web forms found in the repository.

GitHub has steadily increased its efforts to strengthen authentication for users of its platform. This includes deprecating basic authentication for git operations and API usage, email verification for access from previously unknown devices, making two-factor authentication mandatory for all users who contribute code on, and adding passkey support.

There is a problem though with the need to support automated processes that require read-write repository access. GitHub provides personal access tokens for this purpose, which are passwords that typically have a short lifetime. These tokens in effect bypass many of GitHub’s advanced authentication features. GitHub offers two types of personal access tokens, these being “classic” tokens which have broad permissions to act as the user, and “fine-grained” tokens, currently in beta, which can be limited to a minimal set of permissions for specific repositories, according to what is required. Fine-grained tokens are therefore more secure but require more management. There are also some limitations to fine-grained tokens, including lack of support for some API operations, and inability to access repositories in external organizations where the user is a collaborator.

According to Checkmarx, “when inspecting the accounts activity we realized that the attackers accessed the accounts using compromised PATs (Personal Access Token) – most likely exfiltrated silently from the victim’s development environment.” The scale of the attacks suggests automation, the researchers said.

Organizations can set policy to restrict the use of classic tokens. In many cases though their use is hard to avoid. The complexity of fine-grained tokens, versus classic, is another issue for some developers.

Although these attacks did not exploit any vulnerabilities in GitHub itself, the researchers hinted that the company could do more to help organizations discover unauthorized use of personal access tokens. “GitHub’s personal access tokens access log activity is only visible for the enterprise accounts,” they noted.

GitHub advises users to “treat your access tokens like passwords.” Further best practice is to find ways of working that do not require them, wherever possible, and to use fine-grained tokens rather than classic.