Skip to main content

GitHub OAuth Client Credentials

GitHub OAuth Client Credentials are used to authenticate applications to access GitHub's API on behalf of a user or organization. These credentials typically consist of a client ID and a client secret, which are used to obtain an access token. Exposure of these credentials can lead to unauthorized access to GitHub resources, potentially allowing attackers to perform actions on behalf of the application or its users. This poses a significant security risk, especially if the credentials have broad permissions.

How Does It Look

GitHub OAuth Client Credentials can appear in various contexts, such as:

  • Environment variables:

    export GITHUB_CLIENT_ID="abc123xyz"
    export GITHUB_CLIENT_SECRET="shhh-its-a-secret"

  • Configuration files (JSON, YAML, .env):

    {
      "github": {
        "client_id": "abc123xyz",
        "client_secret": "shhh-its-a-secret"
      }
    }

  • Code snippets:

    const clientId = "abc123xyz";
    const clientSecret = "shhh-its-a-secret";

  • Connection strings (if applicable): Not typically used in connection strings.

Severity

  • 🔴 Critical

The severity is critical because these credentials can provide access to sensitive GitHub resources, including repositories, issues, and user data. If compromised, an attacker could manipulate repositories, access private data, or perform actions that could affect the integrity and security of the affected GitHub account.

What Can an Attacker Do?

With immediate access to GitHub OAuth Client Credentials, an attacker can impersonate the application and perform actions on behalf of its users.

Key actions an attacker can perform:

  • Access private repositories (if the credential has read permissions)
  • Modify repository contents (if the credential has write permissions)
  • Access user data (if the credential has user data scope enabled)
  • Create or delete repositories (if the credential has admin permissions)

An attacker could also escalate their access by leveraging the compromised credentials to gain further insights into the organization's GitHub environment, potentially leading to lateral movement across other integrated systems.

Real-World Impact

Exposure of GitHub OAuth Client Credentials poses significant business risks, including:

Potential consequences include:

  • Data Exposure: Access to private repositories and sensitive code (if the credential has read access to repositories)
  • Financial Loss: Unauthorized use of GitHub resources could incur additional costs (if billing/resource creation is permitted)
  • Operational Disruption: Unauthorized changes to repositories could disrupt development workflows (if the attacker has write permissions)
  • Reputational Damage: Loss of trust from users and partners due to unauthorized access or data breaches

In the worst-case scenario, compromised credentials could lead to widespread data breaches, affecting multiple projects and stakeholders, and causing long-term damage to the organization's reputation.

Prerequisites for Exploitation

  • Network access requirements: Internet access to reach GitHub's API endpoints
  • Additional context needed: Knowledge of the specific GitHub API endpoints and scopes associated with the credentials
  • Any rate limits or restrictions they'd face: GitHub API rate limits could restrict the number of requests an attacker can make

How to Verify If It's Active

To verify if the GitHub OAuth Client Credentials are active, use the following command:

curl -H "Authorization: Bearer [TOKEN]" https://api.github.com/user

Valid credential response: A successful response will return user information in JSON format.

Invalid/expired credential response: An error message indicating unauthorized access or invalid credentials.

Detection Patterns

Common Variable Names:

  • GITHUB_CLIENT_ID
  • GITHUB_CLIENT_SECRET
  • CLIENT_ID
  • CLIENT_SECRET
  • OAUTH_CLIENT_ID
  • OAUTH_CLIENT_SECRET

File Locations:

  • .env
  • config.json
  • settings.yaml
  • appsettings.json
  • secrets.json

Regex Pattern:

(?i)(github|oauth)_client_(id|secret)["']?\s*[:=]\s*["'][a-z0-9]{20,40}["']

Remediation Steps

  1. Revoke immediately - Go to GitHub Developer Settings > OAuth Apps and delete the compromised application credentials.
  2. Audit access logs - Review GitHub audit logs for unauthorized access or actions performed during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
  4. Rotate credential - Create a new OAuth application in GitHub with least-privilege permissions.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable two-factor authentication for GitHub accounts and restrict OAuth app permissions.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References