Waydev announcements

https://app.waydev.co

GitHub & GitLab OAuth - security update

-- (July 7, 2020, 5 am PST update)

July 2, 2020, 11:20 am PST

We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token. The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens.

July 3, 2020, 9:45 am PST

Our Security team, along with the Bit Sentinel team (independent company), identified that between June 10, 2020, and July 03, 2020, attackers:

  • performed multiple attacks over an AJAX call;
  • performed exploratory activities;
  • launched automated scanners;

July 3, 2020, 12:45 pm PST

The Waydev team fixed the issues and eliminated any potential threats supposedly linked to the incident.

July 6, 2020, 11 pm PST

We learned from the GitHub Security Team that the attacker might have cloned repositories from the users who connected via GitHub OAuth. Due to GitHub's privacy policy, they will inform the affected users personally.

July 7, 2020, 1 am PST

Here are the latest updates regarding our ongoing security investigation:
  • The attackers managed to retrieve personal details, such as emails, first and last names, but they did not retrieve any passwords.
  • There is a possibility that the attackers cloned different GitHub & GitLab projects. We have no evidence that the attackers managed to clone projects from any other Git providers.
  • There is a possibility that the attackers gained access to our source code. At this moment, we are in the process of a full code review and we will solve any issues that we identify.
  • We are working closely with teams of legal, technical, and communications specialists. We are in the process of notifying law enforcement authorities regarding our investigation.
 The security measures that we recommend our users to take are:
  1. Check for any suspicious activity in your GitHub & GitLab account.
  2. Perform a review over your codebase and change all the passwords, private keys, API secret keys, etc. We recommend using a tool like DumpsterDiver or truffleHog, which can perform high entropy search to help you discover all of these within the code.
  3. Enable a web application firewall such as Cloudflare, mod_security, or any other WAF solution.
  4. Perform a code review to identify any potential vulnerabilities that an attacker may exploit (static or dynamic code analysis), or a manual security code review, and fix all the critical vulnerabilities discovered during the engagement.
  5. Check for any error logs to any of your main services (eg. web service, database service,  application level logs etc).
  6. If you have any suspicious activity or you think your database was exposed, contact a cyber security company to assist you with an incident response plan and other technical forensics capabilities. Be ready to reset user passwords.
  7. Enable logging (including POST data). Create a benchmark of the user’s traffic, for example, total number of requests/IP and analyze any suspicious activity for high traffic users to check for potential exploitation attempts.
For example, you can run the following command to (for apache only):
  • Sort your most popular IP addresses based on number of logs generated in apache: awk '{ print $1 }' *access*log | sort -n | uniq -c | sort -nr | head -50
  • Find the most popular users based on number of POST requests and see what they are doing
  • Find most popular users based on unique suspicious user agents and see what they are doing: awk -F'"' '{print $6}' access.log | sort | uniq -c | sort -rg | head
  • Find most popular users based on number of error generated (non 200-response codes, especially 4XX or 5XX) and understand what they are doing
Our Indicator of Compromise are:
a. IP Addresses of the hacker: 193.169.245.24, 185.230.125.163, 66.249.82.0, 185.220.101.30, 84.16.224.30, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx
b. User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
c. Email addresses:
i. saturndayc@protonmail.com
ii. ohoussem.bale6@sikatan.co
iii. 5abra.adrinelt@datacoeur.com
iv. 4monica.nascimene@vibupis.tk

If you need any technical assistance, please let us know and we will introduce you to our security team.

The investigation is still in progress and we will post updates whenever we have any relevant information. If you have any other questions regarding this topic, do not hesitate to contact us at security@waydev.co.

-- (July 2, 2020, 11:20 am PST)

We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token.
 
The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens. However, no other suspicious activity was identified during our initial analysis.
 
Our Security Specialists are currently investigating this alongside GitHub's Security Team to understand how we can prevent events like this from happening. Even though there is no evidence of any data breach, we are working hard to strengthen our defenses.
 
You can now reconnect through GitHub OAuth, but for security purposes, we strongly recommend you to connect through GitHub Personal Access Token.
 
If you have any other questions regarding this topic, do not hesitate to contact us.

July 10, 2020, 5:50 pm PST

GitHub sent an email to all the users that connected Waydev GitHub application, which included users affected and non-affected users. Please check the GitHub logs in the last period to see if you were affected or not.

Below are Waydev's IPs from where we pull data: 

  • 142.93.239.72
  • 167.99.223.224
  • 134.209.196.25
If you need any technical assistance, please let us know and we will introduce you to our security team.

The investigation is still in progress and we will post updates whenever we have any relevant information. If you have any other questions regarding this topic, do not hesitate to contact us at security@waydev.co.

July 24, 2020, 1 am PST

In the last period, Waydev didn't encounter any potential threats. 

What we can tell you right now is that we treat this situation very seriously, we managed to identify the vulnerability right away and applied a fix immediately. Moreover, we enabled stronger monitoring and defense mechanism and with the help of a professional third party company, we actively monitor all our assets to make sure no other issues are in place. 

We decided to perform a full manual security code review with the help of a professional third-party company and fix all threats. After this initial audit, we will continue performing incremental security audits after each major change or every month on changes.

What other actions we've taken for improving our security:
  • Manual access - It is now impossible to create an account without approval from our security team;
  • Monitoring all the activity;
  • Tokens resetting two times a day;
  • Reported the incident to authorities.
We will keep a better level of security monitoring over our assets for any suspicious activity and improve our security policies and procedures based on this event to prevent situations like this from happening but also to improve our overall attack detection capabilities.

If you were affected by the attackers please contact us at security@waydev.co in order to connect you with the authorities.