An unidentified threat actor has gained administrative access on Sourcegraph; allowing them to exploit and grant free access to users massively.
The application which is AI-driven service is utilized by developers at Dropbox, Reddit, Uber, and a list of high-profile companies; to provide premium access to resources for free.
In a statement by the Head of Security at Sourcegraph Diego Comas:
“Sourcegraph experienced a security incident that allowed a single attacker to access some data on Sourcegraph.com.”
The attack, successfully compromised paid customers account revealing information’s such as: license key, recipients name, and email addresses. A subset of Sourcegraph customers license key is said to be only affected, and the organization stated that they are reaching out to the affected customers directly, to rotate their license keys.
A Mistake that Cost Much:
The attack, which was a mistake that cost much, was noticed by Sourcegraph. It was discovered that the security incident occurred on the 30th August 2023. In a report; a malicious attacker has utilized a leaked admin access token on a Sourcegraph instance made public. The attacker then utilized its privilege to increase the API rate limits for a handful number of users.
In a statement made on their blog:
“On the 30th August 2023, our team noticed a significant increase in API usage and began investigating the cause. The spike in usage was ruled as isolated and inorganic and our security, engineering, and support teams quickly assembled to understand what was going on.”
The team discovered a code commit which occurred from July 14th on GitHub accidentally leaked the site-admin access token in a pull-request. This was taken advantage of by the attacker to impersonate a user, and then gain access to the administrative console on Sourcegraph.
Attack Timeline and Organization Transparency:
Report on the attack timeline, organization transparency, and findings by the technical team at Sourcegraph, detected that the attacked commenced at exactly 28th August, 2023 @ (13:18:36 UTC), whereby a user created a new account on the Sourcegraph website.
On the 30th August, 2023 @ (06:47:59 UTC), the user, then used the leaked site-admin access token, to elevate their account to administrative account, thereby gaining access to the admin console of Sourcegraph.
“The malicious user continued to probe the system by changing their access from site-admin to regular user multiple times.”
Although no proof of whom specifically did conduct the next step; Sourcegraph said:
“The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph’s API and leveraging the underlying LLM (Large Language Model). Users where then instructed to create free Sourcegraph.com accounts, generate access token, and then request the malicious user to greatly increase their rate limit.”
Users utilized this open window to create accounts and started using the proxy app. The app and the procedure of using it, became public with over 2-million views.
It was discovered that the organization impact, after the malicious attacker has gained access, was limited to paid customers license-key, recipient’s name, email addresses, Sourcegraph license-key, and email accounts belonging to free-tier community users were compromised.
In a statement the company issued on their findings:
“We have no indication that any of this data was viewed, modified, or copied, but the malicious user could have viewed license key recipient’s, email and community user email addresses as they navigated the admin dashboard.”
They further stated that the attacker was only able to access a page on the admin dashboard that only display 20-users license key items, and Sourcegraph incident team, were able to determine which items the threat actors, were able to view at that given time, due to table sorting.
Response and Mitigation:
The response and mitigation provided by the organization, involved a series of quick action, taken by their incident team. On August 30th @ (13:25:54 UTC), Sourcegraph security team where able to identify the attacker user account, and revoked the access. They took a spontaneous action, commenced investigation, and steps in mitigating the problem.
The solution (Mitigation), includes revoking access of the malicious account, proactively rotating a subset of the customers license key that may have been viewed by the attacker, temporarily reducing the rate limits of all free community users, and created new test procedures that will actively monitor for abuse and malicious activity.
On further steps to be taken, the company said:
“Our team are actively working to create a long-term solution for our community and customers to prevent future incidents like this. While we are not ready to publicly share our additional mitigation options at this time as our internal investigation is still ongoing, know that we are working around the clock to implement a solution that is least disruptive to the Sourcegraph community at large.”
Please do let us know in the comment section what are your thoughts about this.