- Joined
- Jun 13, 2020
- Messages
- 7,903
- Reaction score
- 942
- Points
- 212
- Awards
- 2
The attackers exploited a SQL injection vulnerability to gain access to the company's database.
Cybercriminals hacked the Waydev analytics platform used by software companies and stole OAuth tokens for GitHub and GitLab from the internal database.
American company Waydev operates a platform for tracking software development processes by analyzing Git-based codebases. To do this, Waydev launched a special application, after installing which the company receives an OAuth token for accessing projects of GitHub or GitLab clients. Waydev stores this token in its database and uses it daily to generate analytical reports.
Waydev CEO Alex Circei told ZDNet that the attackers exploited a hidden SQL injection vulnerability to gain access to the database, from where they stole OAuth tokens for GitHub and GitLab. With the help of tokens, criminals gained access to the code bases of other companies and the source code of their projects.
Experts released a fix for the vulnerability immediately after discovery on the same day. Together with GitHub and GitLab, they shut down the app, revoked all stolen OAuth tokens, and created new OAuth apps, denying hackers access to Waydev's GitHub and GitLab customer accounts.
Developers of financial app Dave.com and software testing service Flood.io have already reported the hack this month and blamed Waydev for the incidents.
Cybercriminals hacked the Waydev analytics platform used by software companies and stole OAuth tokens for GitHub and GitLab from the internal database.
American company Waydev operates a platform for tracking software development processes by analyzing Git-based codebases. To do this, Waydev launched a special application, after installing which the company receives an OAuth token for accessing projects of GitHub or GitLab clients. Waydev stores this token in its database and uses it daily to generate analytical reports.
Waydev CEO Alex Circei told ZDNet that the attackers exploited a hidden SQL injection vulnerability to gain access to the database, from where they stole OAuth tokens for GitHub and GitLab. With the help of tokens, criminals gained access to the code bases of other companies and the source code of their projects.
Experts released a fix for the vulnerability immediately after discovery on the same day. Together with GitHub and GitLab, they shut down the app, revoked all stolen OAuth tokens, and created new OAuth apps, denying hackers access to Waydev's GitHub and GitLab customer accounts.
Developers of financial app Dave.com and software testing service Flood.io have already reported the hack this month and blamed Waydev for the incidents.