
Flaw in GitHub OAuth logic allowed unrestricted access to private repositories - kailanb
Many just received this email from GitHub support:
--<p>GitHub has discovered an error in the logic used to enforce OAuth App access restrictions, which restrict OAuth integration access to an organization&#x27;s private repositories. In certain situations, when a member of an organization granted access to a third-party OAuth integration, that integration could have been given more access to some of your organization’s repositories than we intended to allow.<p>When an organization enables OAuth App access restrictions, GitHub generally limits OAuth integration access to private repositories.  This error in OAuth App access restrictions allowed third-party OAuth integrations, such as continuous integration providers, the same access permissions to certain private repositories within an organization as the user who implemented the integration had, provided they had authorized the integration for a scope capable of interacting with repositories.<p>--
Full email: https:&#x2F;&#x2F;gist.github.com&#x2F;kailan&#x2F;9f37ec2cd76314f945dda65e5beab241
======
graystevens
Clickable link:
[https://gist.github.com/kailan/9f37ec2cd76314f945dda65e5beab...](https://gist.github.com/kailan/9f37ec2cd76314f945dda65e5beab241)

Very interesting. I wonder if any private organisations setup a pseudo/canary
repositories, that when pulled triggered an alarm? Or simply contained some
monitored API keys or credentials to spot any activity/Insider threats.

Might be a neat idea for those businesses that are concerned about their
private repos (either cloud hosted or self hosted).

May have picked up if anyone was able to exploit this.

