Waydev, an analytics platform used by software companies, has disclosed a security breach earlier this month.
The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.
Hackers pivoted from Waydev to other companies
Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores.
When users install the app, Waydev receives an OAuth token that it can use to access its customers’ GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers.
Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.
The hackers then used some of these tokens to pivot to other companies’ codebases and gain access to their source code projects.
GitHub’s security team discovered the breach
Circei said Waydev learned of the breach after one of its customers was contacted by GitHub’s security team after GitHub detected suspicious activity originating from the customer’s Waydev token.
The Waydev CEO told ZDNet they learned of the attack on July 3 and patched the vulnerability exploited by attackers on the same day. They also worked with GitHub and GitLab to delist their original apps, revoke all affected OAuth tokens, and create new OAuth apps — effectively invalidating the hacker’s access to Waydev customers’ GitHub and GitLab accounts.
Circei says that based on current evidence, the hackers appear to have gained access only to a small subset of its customer codebases.
Waydev said it also notified US authorities about the security breach.
Circei said they’re also working with cyber-security firm Bit Sentinel on investigating the breach, and that they also deployed additional security protections to Waydev accounts, such as:
- Manual access – It is now impossible to create an account without approval from our security team;
- Monitoring all the activity;
- Tokens resetting two times a day;
- Reported the incident to authorities.
In a rare case of transparency, Waydev also released indicators of compromise associated with the hackers — such as email addresses, IP addresses, and user-agent strings — something that companies rarely do nowadays.
- IP Addresses of the hacker: 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx
- User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
- Email addresses: [email protected], [email protected], [email protected], [email protected]
The indicators of compromise, along with instructions for Waydev customers on how to search their logs for the hacker’s presence, are available in this Waydev support page.