The GitHub integration OAuth tokens that were taken last month also contributed to the vulnerability of an internal client database, according to a recent statement from Heroku.

The cloud platform, which is owned by Salesforce, acknowledged that the same compromised token was utilised by attackers to steal client credentials that had been hashed and salted from “a database.”

Following yesterday’s contact between BleepingComputer and Salesforce, Heroku released an update.

Even though BleepingComputer doesn’t have any OAuth integrations that leverage Heroku apps or GitHub, we unexpectedly received a password reset email from Heroku, like many other users. This suggested that there was another reason for these password resets.

Forced password resets are explained by Heroku.
Following the security breach from last month, Heroku began this week forcing password resets for a portion of its user accounts without providing a detailed justification.

Some Heroku users received emails on Tuesday evening informing them that their account passwords would be changed as a result of the security breach, with the subject line “Heroku security notification – resetting user account passwords on May 4, 2022.” The email noted that the reset will also invalidate all API access tokens and force users to create new ones.

However, the original security problem being discussed involves threat actors stealing OAuth tokens given to Heroku and Travis-CI and utilising them to retrieve data from secure GitHub repositories belonging to a variety of companies, including npm.

According to a previous statement from GitHub, “On April 12, GitHub Security started an investigation that uncovered evidence that an attacker exploited stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organisations, including npm.”

These tokens had previously been used by the OAuth integrations of the Travis-CI and Heroku platforms to link with GitHub and release apps.

Threat actors could access and download data from GitHub repositories belonging to users who gave their accounts permission to the stolen Heroku or Travis CI OAuth apps by stealing these OAuth tokens. Notably, the issue had no effect on GitHub’s infrastructure, processes, or private repositories.

But up until this point, it was still unclear why Heroku would need to reset some user account passwords.

It turns out that threat actors were able to access Heroku’s internal database of client accounts through the compromised token for a Heroku machine account:

Heroku updates its security warning: “Our research also discovered that the same compromised token was used to access a database and exfiltrate the hashed and salted passwords for users’ accounts.”

“Because of this, Salesforce is making sure that all Heroku user passwords are changed and that any potentially vulnerable credentials are updated. We have added more detections and rotated internal Heroku credentials. We are still looking into the token compromise’s origin.”

A reader of YCombinator Hacker News suggested that the “database” being discussed might be what was formerly known as “core-db.”

Craig Kerstiens of the PostgreSQL platform CrunchyData, a former employee of Heroku, is the reader in question.

According to Kerstiens, the internal database is referenced in the most recent report as “a database.”

“It appears [the attacker] had access to internal systems, but I don’t want to guess too much. It was discovered, noted, and reported to Heroku by GitHub. You can’t argue against the need for further clarity, but it would be wise to follow up with Salesforce on that.”

After being contacted by BleepingComputer, Kerstiens acknowledged writing these statements.

Clients refer to ambiguous disclosure as a “train crash.”
In its initial statement about the security breach, Heroku said that accounts using compromised OAuth tokens from Heroku had exploited GitHub repositories to gain unauthorised access.

The business has previously said that “The compromised tokens could give the threat actor access to customer GitHub repos, but not customer Heroku accounts.”

However, the password reset emails legitimately raised consumer worries that Heroku’s investigation might have turned up additional malicious activity by the threat actors that wasn’t being made public.

The disclosure was termed “a complete train wreck and a case study on how not to interact with your customers,” by some YCombinator Hacker News readers.

Heroku has started to shed some light on the issue in an effort to be more open with the community.

According to Heroku, “We embrace transparency and recognise that our customers are looking for a deeper understanding of the implications of this incident and our reaction thus far.”

The cloud platform added that it had reached a stage where more material could be disclosed without jeopardising the ongoing investigation after cooperating with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the inquiry:

A different third-party integrator, Travis-CI, revealed, however, that no client data had been harmed by the event on the business day that followed GitHub’s initial notice.

Users of Heroku are urged to keep checking the security notification page for updates concerning the incident.