Breaking News

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom



Jan
31,
2023Ravie
LakshmananSecurity
Incident
/
Encryption


GitHub
on
Monday
disclosed
that
unknown
threat
actors
managed
to
exfiltrate
encrypted
code
signing
certificates
pertaining
to
some
versions
of
GitHub
Desktop
for
Mac
and
Atom
apps.

As
a
result,
the
company
is

taking
the
step
of
revoking
the
exposed
certificates
out
of
abundance
of
caution.
The
following
versions
of
GitHub
Desktop
for
Mac
have
been
invalidated:
3.0.2,
3.0.3,
3.0.4,
3.0.5,
3.0.6,
3.0.7,
3.0.8,
3.1.0,
3.1.1,
and
3.1.2.

Versions
1.63.0
and
1.63.1
of
1.63.0
of
Atom
are
also
expected
to
stop
working
as
of
February
2,
2023,
requiring
that
users
downgrade
to
a

previous
version
(1.60.0)
of
Atom.
GitHub
Desktop
for
Windows
is
not
affected.

The
Microsoft-owned
subsidiary
said
it
detected
unauthorized
access
to
a
set
of
deprecated
repositories
used
in
the
planning
and
development
of
GitHub
Desktop
and
Atom
on
December
7,
2022.

The
repositories
are
said
to
have
been
cloned
a
day
before
by
a
compromised
personal
access
token
(PAT)
associated
with
a
machine
account.
None
of
the
repositories
contained
customer
data,
and
the
compromised
credentials
have
since
been
revoked.
GitHub
did
not
disclose
how
the
token
was
breached.

“Several
encrypted
code
signing
certificates
were
stored
in
these
repositories
for
use
via
Actions
in
our
GitHub
Desktop
and
Atom
release
workflows,”
GitHub’s
Alexis
Wales
said. “We
have
no
evidence
that
the
threat
actor
was
able
to
decrypt
or
use
these
certificates.”

It’s
worth
pointing
out
that
a
successful
decryption
of
the
certificates
could
permit
an
adversary
to
sign
trojanized
applications
with
these
certificates
and
pass
them
off
as
originating
from
GitHub.

The
three
compromised
certificates

two
Digicert
code
signing
certificates
used
for
Windows
and
one
Apple
Developer
ID
certificate

are
set
for
revocation
on
February
2,
2023.

The
code
hosting
platform
also
said
it
released
a
new
version
of
the
Desktop
app
on
January
4,
2023,
that’s
signed
with
new
certificates
that
were
not
exposed
to
the
threat
actor.
It
further
emphasized
that
no
unauthorized
changes
were
made
to
the
code
in
these
repositories.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

shortenage

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress | Bootstrap Themes