Overview

On June 16, 2022, GitHub sent a message to its customers disclosing a bug in GitHub Apps that existed for a 5-day timeframe between February 25 and March 2, 2022 – and which could have been abused to grant excessive permissions to malicious third-party applications

The disclosed bug is the latest example of how third-party integrations can expand organizations’ attack surface by jeopardizing core systems including (but certainly not limited to) GitHub. 

The post below shares our current understanding of the GitHub App bug and its implications for GitHub clients security posture. We also share practical mitigation strategies security teams can follow to ensure their organization’s GitHub account hasn’t been compromised. 

GitHub Apps Bug Created Significant 3rd-party Risk: How You Can Stay Protected
GitHub Apps Bug Created Significant 3rd-party Risk

About the GitHub Apps bug and its implications 

According to a GitHub disclosure from June 16, 2022, a bug detected in GitHub Apps allowed privileged escalation from read permission to its equivalent write permission between February 25 and March 3, 2022. 

Exploiting this bug would have required:

 a) a malicious or compromised GitHub app installed on your organization’s GitHub account before or during that 5-day window 

b) a malicious actor familiar with this vulnerability. 

Even though GitHub closed the bug in March 3rd 2022, there are several use cases in which a malicious actor could have abused this bug (within this 5-day timeframe) to obtain persistent access and leave long-term effects on your organization’s Github account.
For example, they could have gained long-term access to your company source code by adding a new webhook that leaks the code to an external server, or by adding a rogue user to your organization’s GitHub account. Moreover, a malicious actor could have abused this “elevated permission” bug to inject malicious code to your private repositories.

Remediation guide: immediate steps to secure your GitHub account

We recommend you follow the following steps to verify your Github account hasn’t been compromised:

  1. Review the GitHub Audit Log (this is possible through the UI) for the relevant dates reported by GitHub within the “vulnerable” 5-day timeframe (February 25 – March 3, 2022), with special attention to the above action types:
    1. Creating or modifying webhooks: [hook.create, hook.config_changed, hook.events_changed]
    2. Adding members: [org.add_member, org.invite_member] 
    3. Code editing: [pull_request.merge], especially by non-human actors
  2. Note any irregular or suspicious activity (and reach out if you have concerns)

Lesson learned: Zero Trust approach for third-party integrations 

The GitHub apps vulnerability is yet another example of why organizations should adopt a Zero Trust approach when it comes to app-to-app connectivity, especially when it comes to third-party integrations  – ensuring least privileged programmable access where: 

With the proliferation of third-party services connected to core engineering systems like GitHub, it can be challenging for organizations to minimize their third-party integration attack surface. This is mainly because it requires security teams to monitor and audit not just the applications – but reviewing all app-to-app connections and credentials (OAuth apps, webhooks, tokens, …), along with exposure scoring and ongoing monitoring. 

How we can help 

Astrix helps security teams control the risks of over-privileged and shadow integrations. With agentless, one-click deployment, Astrix enables security teams to instantly see through the fog of connections and detect redundant, misconfigured, and malicious third-party exposure to their critical systems

Send us an email to Contact_us@astrix.security to learn more – or for help reviewing your organization’s GitHub audit log to evaluate the risk of malicious activity. 

Request a demo

See how Astrix can help you take
control of your third-party integrations.



This will close in 0 seconds

Contact us



This will close in 0 seconds

Risk #3: Compliance violations
  • What it is: An act that compromises an organization’s ability to comply with relevant governmental, legal, or industry frameworks – for example, data privacy regulations (like GDPR) or security and governance (like SOC 2).
  • Recent example: Ticketmaster received a $1.6 million fine for GDPR violations after hackers exploited vulnerabilities in the code of a third-party chat app vendor on its checkout page, exposing customers’ personal and payment data.
  • Why third-party integrations increase the risk: Any third-party application involved in data processing is part of an enterprise’s regulatory purview – meaning that the organization is ultimately responsible (often financially and legally) for its handling of sensitive data.
Risk #2: Direct malicious access
  • What it is: Malicious actors seek direct access to core platforms by tricking users into providing consent (via OAuth permissions rather than explicit credential phishing) or by taking advantage of leaked API keys, certificates, webhooks urls, etc.
  • Recent example: Microsoft recently warned of a phishing attack in which Office 365 users received emails intended to trick them into granting OAuth permissions to a fake app.
  • Why third-party integrations increase the risk: With third-party applications increasingly integrated to core platforms, access tokens enable malicious actors access to data and operations on organization critical systems.
Risk #1: Supply chain attacks
  • What it is: A third-party app integrated to a trustworthy central platform may “leak” sensitive data into a less secure environment. Malicious actors abuse security vulnerabilities associated with a legitimate (but less secure) third-party application – and exploit its privileged access to sensitive information (like credentials or data).
  • Recent example: Hackers compromised the software development tool Codecov to gain access to – and rapidly copy and export to an attacker-controlled server – sensitive secrets,credentials and IP associated with software accounts at thousands of clients.
  • Why third-party integrations increase the risk: More and more third-party applications hold the “keys to the kingdom”: the most privileged credentials in the enterprise. Any third party application that can be compromised opens up the possibility of unauthorized intrusion (and data extraction, ransoming, and more) by malicious actors.