Heroku has now confirmed that last month’s theft of GitHub integration OAuth tokens resulted in the compromising of an internal customer database.
The Salesforce-owned cloud platform admitted that attackers used the same compromised token to steal customers’ hashed and salted passwords from “a database.”
After reaching out to Salesforce yesterday, Heroku released an update.
Even though BleepingComputer does not have any OAuth integrations that leverage Heroku apps or GitHub, we received an unexpected password reset email from Heroku, as did many other users. This suggested that the password resets were connected to something else.
Forced password resets are explained by Heroku
Following last month’s security breach, Heroku began forcing password resets for a fraction of its user accounts this week, without properly explaining why.
Some Heroku users received emails on Tuesday night headlined “Heroku security notification – resetting user account passwords on May 4, 2022,” informing them that their account passwords were being reset as a result of the security breach. According to the email, the reset would also invalidate any API access tokens and compel users to acquire new ones.
Threat actors stole OAuth tokens granted to Heroku and Travis-CI and used them to obtain data from private GitHub repositories belonging to dozens of firms, including npm, in the original security incident.
“On April 12, GitHub Security launched an investigation into evidence that an attacker utilized stolen OAuth user tokens supplied to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm,” according to GitHub.
Travis-CI and Heroku OAuth applications had previously used these tokens to integrate with GitHub to deploy applications.
Threat actors could access and download data from GitHub repositories belonging to users who authorized the stolen Heroku or Travis CI OAuth apps with their accounts by stealing these OAuth tokens. Note that the issue had no effect on GitHub’s infrastructure, systems, or private repositories.
But, until recently, that didn’t explain why Heroku needed to reset some user account passwords.
Threat actors were able to get unauthorized access to Heroku’s internal database of customer accounts using the compromised token for a Heroku machine account:
“The same compromised token was also used to obtain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts,” Heroku writes in an updated security advisory.
“As a result, Salesforce is ensuring that all Heroku user passwords are reset, as well as any potentially affected credentials. Internal Heroku credentials have been rotated, and further detections have been implemented. The source of the token compromise is still being investigated.”
A YCombinator Hacker News reader speculated that the “database” in question was originally known as “core-db.”
Craig Kerstiens of PostgreSQL platform CrunchyData, who was previously affiliated with Heroku, is the reader in question.
“The most recent report mentions ‘a database,’ which is most likely the internal database,” Kerstiens explains.
“I’m not going to guess too much, but [the attacker] appears to have had access to internal systems. GitHub was the one who discovered it and reported it to Heroku. I agree that more explanation is needed, but it’s better to follow up with Salesforce on this.”
Kerstiens verified drafting these comments when contacted by BleepingComputer.
Customers refer to ambiguous disclosure as a “train crash”
Unauthorized access was linked to GitHub repositories belonging to accounts that used Heroku’s compromised OAuth tokens, according to Heroku’s initial report of the security incident.
“The threat actor may gain access to customer GitHub repositories, but not customer Heroku accounts,” the business previously warned.
However, consumers were justifiably concerned that Heroku’s investigation may have revealed additional malicious conduct by the threat actors that was not being reported.
The revelation was termed “a complete train wreck and a case study on how not to interact with your customers” by some YCombinator Hacker Newsreaders.
Heroku has begun to shed some light on the issue in an effort to be more transparent with the community.
“We encourage transparency and recognize that our customers want to know more about the impact of this issue and our reaction so far,” Heroku states.
After working with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the inquiry, the cloud platform announced that it had reached a stage where more information could be disclosed without jeopardizing the ongoing investigation:
“A threat actor gained access to a Heroku database on April 7, 2022, and downloaded stored customer GitHub integration OAuth tokens. A hacked token for a Heroku machine account was used to gain access to the environment. The threat actor started enumerating metadata about client repositories with the downloaded OAuth tokens on April 8, 2022, according to GitHub. The attacker downloaded a section of the Heroku private GitHub repositories from GitHub on April 9, 2022, which contained some Heroku source code.
On April 12, 2022, GitHub discovered the behavior and notified Salesforce, at which point we launched our investigation. As a result, on April 16, 2022, we canceled all GitHub integration OAuth tokens, stopping customers from using the Heroku Dashboard or automation to deploy apps from GitHub. Before we re-enable this functionality, we want to make sure the integration is secure.”
In contrast, Travis-CI, a third-party integrator, announced the next business day after GitHub’s initial statement that the event had had no impact on client data.
Heroku users should keep an eye on the security notification page for any updates on the situation.
