Attacker Breach 'Dozens' of GitHub Repos Using Stolen OAuth Tokens:
GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.
GitHub revealed details tied to last week's incident where hackers, using stolen OAuth tokens, downloaded data from private repositories.
"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats," said Mike Hanley, chief security officer, GitHub.
[...] GitHub analysis the incident include[sic] that the attackers authenticated to the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added, most most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.
"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," Hanley said. "GitHub believes these attacks were highly targeted," he added.
GitHub said it is in the process of sending the final notification to its customer who had either Travis CI or Heroku OAuth apps integrated into their GitHub accounts.
(Score: 3, Insightful) by MostCynical on Friday April 29 2022, @08:50PM
anything that makes it 'easy' to log in to something is going to introduce additional vulnerabilities.
Anywhere you add a step to a trust chain, anywhere you put your credentials that isn't owned/managed by you, you add risk.
But people keep doing it.. because it was 'easier'.
Hospitals and other places with shared computers have been fighting human nature, and losing, for decades. User names are shared, passwords are written on post it notes stuck to the monitor (or even written on the monitor case).. because it takes additional time to log in and out, and they can't remember their login to yet another system....
People like 'easy' and 'fast'; good security is neither of these.. so people don't do it.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Insightful) by Anonymous Coward on Friday April 29 2022, @09:09PM (1 child)
It's a rube goildberg contraction of auth mechanism cooked up by the web cartel (Google, FaceBook, etc. - the usual suspects) - it adds convenience for these web-spying cartel but no better security.
(Score: 3, Informative) by digitalaudiorock on Saturday April 30 2022, @01:06AM
For anyone who's never seen it, there's this [archive.org] from the original lead author of oAuth2, who seems to agree.
My only experience with oAuth2 was rather horrible: My company used to use Google's ClientLogin for Google Calendar. Unlike all too many things, it was wonderfully simple...an API that let you change, delete, and create events in Google Calendar with a simply API that needed nothing more than a user name and password...but yea, that was WAY to simple to survive. Google stopped supporting that and claimed it was replaced by oAuth2, which at best was the worlds biggest square peg in the world smallest round hole:
1. It involved something on the order of 10,000 lines of Google PHP code, to replace what was about 30 lines of our own.
2. If you look at users experiences trying to get it working, you quickly realized you weren't loosing your mind, and that it was essentially impossible. It's important to note that this tended to involve solutions you'd read about and try, only to discover that Google rewrote the API in a non-backward compatible way and that you'd totally wasted your time.
3. Assuming you'd not given up by then, you discover that...and Google tells you nothing to this effect anywhere...none of this works no matter WHAT you do unless you have a non-free Google Domain account...which I'm guessing is probably the reason all of this happened in the first place.
So yea...fuck oAuth2 and the horse it rode in on, and anyone else involved...and Google.
(Score: -1, Spam) by Anonymous Coward on Saturday April 30 2022, @08:15PM (1 child)
Detonating an "Anti-JUDEN" bomb for JUDENTECHNICA (home of Peter Bright the jew in JAIL for child molestation for 12 yrs. Ken Fisher the jew runs things at JUDENTechnica)
Jew Talmud excerpts (the book that calls Christ's mother a whore & a bastard of a roman soldier):
Yebamoth 98a: "All children of the goy are animals"
Yebhamoth 11b: "Sexual intercourse with a little girl is permitted if she is three years of age."
Aboda Sarah 37a: "A Gentile girl who is three years old can be violated."
Avodah Zarah 36b: "They decreed connection with a heathen child that it should cause defilement by seminal omission so that an Israelite child should not become accustomed to commit PEDERASTY with him. It is therefore to be concluded that a heathen (non jew) girl from the age of 3 + 1 day for inasmuich as she is then capable of the sexual act she likewise defiles by a flux. This is obvious"
Avodah Zarah 37a: "R. Joseph said: Come and hear - a maiden aged 3 years and 1 day may be acquired in marriage by a coition (sex) and if her deceased husband's brother cohabits with her she becomes his"
Szaaloth-Utszabot, The Book of Jore Dia 17: "A Jew should and must make a false oath KALNIDRA (what they recite on entry into day of atonement that for the next 12 months no oath they make to others MATTERS & can be broken) when the Goyim asks if our books contain anything against them."
Schabouth Hag. 6d: "Jews may swear falsely by use of subterfuge wording."
Sanhedrin 59a: "A goy (Gentile) who pries into The Law (Talmud) is guilty of death."
Yalhut 245c: "Extermination of the Christians is a necessary sacrifice" per https://www.brighteon.com/83442414-4300-4360-9ade-b999d9e40ca5 [brighteon.com] (one HELL of an INFORMATIVE video that)
Hilkkoth Akum X1: "Do not save Goyim in danger of death."
Hilkkoth Akum X1: "Show no mercy to the Goyim."
Choschen Hamm 388, 15: "If it can be proven that someone has given the money of Israelites to the Goyim, a way must be found after prudent consideration to wipe him off the face of the earth."
Choschen Hamm 266,1: "A Jew may keep anything he finds which belongs to the Akum (Gentile). For he who returns lost property (to Gentiles) sins against the Law by increasing the power of the transgressors of the Law. It is praiseworthy, however, to return lost property if it is done to honor the name of God, namely, if by so doing, Christians will praise the Jews and look upon them as honorable people."
Baba Necia 114, 6: "The Jews are human beings, but the nations of the world are not human beings but beasts."
Zohar, Toldoth Noah 63b & Simeon Haddarsen, fol. 56-D: "When the Messiah comes every Jew will have 2800 slaves."
Nidrasch Talpioth, p. 225-L: "Jehovah created the non-Jew in human form so that the Jew would not have to be served by beasts. The non-Jew is consequently an animal in human form, and condemned to serve the Jew day and night."
Hadarine 20, B & Schulchan Aruch, Choszem Hamiszpat 34B & Gad. Shas. 2:2: "A Jew may violate but not marry a non-Jewish girl."
Tosefta. Aboda Zara B, 5: "If a goy kills a goy or a Jew, he is responsible; but if a Jew kills a goy, he is NOT responsible."
Schulchan Aruch, Choszen Hamiszpat 388: "It is permitted to kill a Jewish denunciator everywhere. It is permitted to kill him even before he denounces."
Schulchan Aruch, Choszen Hamiszpat 348: "All property of other nations belongs to the Jewish nation, which, consequently, is entitled to seize upon it without any scruples."
Tosefta, Abda Zara VIII, 5: "How to interpret the word 'robbery.' A goy is forbidden to steal, rob, or take women slaves, etc., from a goy or from a Jew. But a Jew is NOT forbidden to do all this to a goy."
Seph. Jp., 92, 1: "God has given the Jews power over the possessions and blood of all nations."
Schulchan Aruch, Choszen Hamiszpat 156: "When a Jew has a Gentile in his clutches, another Jew may go to the same Gentile, lend him money and in turn deceive him, so that the Gentile shall be ruined. For the property of a Gentile, according to our law, belongs to no one, and the first Jew that passes has full right to seize it."
Schulchan Aruch, Johre Deah, 122: "A Jew is forbidden to drink from a glass of wine which a Gentile has touched, because the touch has made the wine unclean."
Nedarim 23b: "He who desires that none of his vows made during the year be valid, let him stand at the beginning of the year and declare, 'Every vow which I may make in the future shall be null'. His vows are then invalid."
Rosh Hashanah 17a: "Christians who reject the Talmud shall go to HELL and be punished there for all generations"
(Like they said Jesus is in HELL boiling in SHIT (excrement) perhaps, per https://www.brighteon.com/83442414-4300-4360-9ade-b999d9e40ca5 [brighteon.com] & where JEWS literally say "We killed Yeshua and are PROUD of it"?)
Gittin 57a: "Jesus (Jashua) is in HELL boiling in hot excrement"
In the BRIGHTEON link above, they show Jesus as a MONKEY being pounded by a hammer with nails into a cross mocking him.
Zohar, Vuyshiah 177b: "Jews may cheat Goys over a bill" etc.
Mas. Shabbath 32b: "On the house of the Goy one looks as on the fold of cattle"
Baba Mazia 114b: "The Goyim are not humans. They are beasts"
Choshem Ha'mishpat 425.50: "Everyone who sheds the blood of the NON-JEW (impious) is as acceptable to God as he who offers a sacrifice to God"
Schulchan Oruch, Orach Chaim 14, 20, 32, 33, 39: "A Jew may do to an Non-JEWESS what he can do. He may treat her as he treats a piece of meat"
Midrasch Talpioth page 225 L: "The Jew is not permitted to consider the goyim as human beings"
Mas Yevamoth 61b: "All JEWS will have a part in the future world The Goyim at the end of the world will be handed over to the angel DUMA and sent down to hell"
* RACIST megalomaniacal murderous twisted THIEVES TO THE CORE - hey, THEY supplied that material above, not I...
APK
P.S.=> All I can say is "EAT SHIT Synagogue of SATAN" per John in REVELATIONS (where he states
"those who say they are jews but are not" more or less in stating what they are in AshkeNAZI fake jews who follow the above set of rules from their "book of LAW")... apk
(Score: 0) by Anonymous Coward on Sunday May 01 2022, @09:44AM
This must be a self hating Jew to have studied so much it their docs