Waydev, provider of an analytics platform for software developers, has admitted a security incident. Hackers captured an internal database after a break-in in the OAuth-Tokens systems for GitHub and GitLab. Among other things, they are said to have helped them to subsequently withdraw customer data from the Dave finance app.
The Waydev platform makes it possible to analyze Git-based code and thus track the work of software developers. For this purpose, Waydev uses a special app that is also listed in the app stores of GitHub and GitLab.
When users install this app, Waydev receives OAuth tokens that allow company employees to access customers’ GitHub or GitLab projects. Waydev in turn stores these tokens in a database, as they are required for the preparation of daily analysis reports.
In turn, cybercriminals entered this database via an SQL injection gap to steal the tokens in question. These tokens were eventually used to retrieve source code from Waydev customers, as Waydev CEO Alex Circei explained in an interview with ZDNet USA.
The incident was discovered by the GitHub security team, which in turn noticed suspicious activity related to a Waydev token. The vulnerability in the database was removed on July 3, shortly after Waydev found out about the attack. Together with GitHub and GitLab, all tokens had also been revoked, which cut off hackers ‘access to Waydev customers’ GitHub and GitLab accounts, the manager continued.
So far, two data thefts have been reported that are attributable to the Waydev attack. In addition to the Dave finance app, the Flood.io software service was also affected.
Waydev emphasized that US authorities had been informed of the break-in. The security provider Bit Sentinel is also involved in the investigation, and has also introduced new security measures. For example, it should now be impossible to create new accounts without the express consent of an employee of the Waydev security team. In addition, all tokens would now be reset twice a day.
Waydev also provides indicators of compromise for its customers on a support website. With this information, including the IP and email addresses of the cybercriminals, customers can search their own log files for possible indications of a security incident.