Security Issues

[ALeX400]

Select Topic Area

Question

Body

Security Concern: OAuth Connection Bypassing 2FA

Context

Within the last 20-24 hours, my GitHub account experienced unauthorized access, seemingly bypassing 2-Factor Authentication (2FA) through OAuth. Although my account is theoretically secure now, I seek clarity and wish to share details of the incident for a deeper understanding and to prevent future occurrences.

Detailed Incident Report

Initial Activity: Malware Reporting and Interaction

A few minutes ago, I reported a user who published malware while pretending it to be something else.

• My Typical Activity: I frequently explore the platform for suspicious repositories and utilize a virtual machine for testing.
• What Happened: I downloaded content from the user. The antivirus did not flag anything suspicious.
• Misstep: Mistaking my own system for the virtual machine, i executed the malware (executable) (don't ask me how i managed to make such a mistake, but it happened). No immediate issues were reported.

Consequences: Unauthorized Access and Account Actions

Approximately 20-24 hours post-execution of the suspicious file:

• I lost access to 7 Google accounts.
• My GitHub account, associated with one of these emails, was theoretically bypassed.
• A third-party application using OAuth authentication accessed my account, without triggering a 2FA security check.
• Multiple attempts to create repositories were made. After several unsuccessful attempts, they managed to create one or more repositories.
• Further unauthorized actions noted were: forking and revoking access from several trusted applications, including GitHub Desktop.

Considerations and Suggestions: Geolocation-Based Security

• Current Behavior: The platform did not flag when account actions were suddenly performed from Poland, despite my consistent access from Romania.
• Suggestion: Would it be possible to implement a security check or filter that considers geolocation in its security protocols ?
  • E.g., Enforce a strict 2FA check when account access location drastically changes ?

Current Status and Responsibility Acknowledgement

Currently, my account is safe; security has been restored, unauthorized repositories have been deleted, and normal access is re-established. I acknowledge and take full responsibility for my actions that led to this security breach on my account (because it was my fault).

Additional Observations

From my research, these types of 'security breaches' didn't seem that common before the 2FA enrollment initiative. I’ve observed that all users who publish such repositories are bots that executed similar actions to mine. Unfortunately, without realizing what was transpiring and consequently losing complete access to their accounts.

Reflection and Inquiry

Despite the resolution, i am left pondering:

• In your perspective, what are your thoughts about this event ?
• Security Enhancement: Wouldn’t it be prudent to alert users about suspicious activities on their account, especially when involving unfamiliar geolocations ?

Sorry if my post has nothing to do with the context, but it's actually a question.
Best regards, ALeX.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬