Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev – this is why you don’t give cloud access to your crown jewels

Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores.

When users install the app, Waydev receives an OAuth token that it can use to access its customers’ GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers.

Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.

The hackers then used some of these tokens to pivot to other companies’ codebases and gain access to their source code projects.

Source: Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev | ZDNet