Hacker gains admin control of Sourcegraph and gives free access to the masses

An unknown hacker gained administrative management of Sourcegraph, an AI-driven service utilized by builders at Uber, Reddit, Dropbox, and different corporations, and used it to offer free entry to sources that usually would have required fee.

Within the course of, the hacker(s) might have accessed private data belonging to Sourcegraph customers, Diego Comas, Sourcegraph’s head of safety, stated in a post on Wednesday. For paid customers, the data uncovered included license keys and the names and e mail addresses of license key holders. For non-paying customers, it was restricted to e mail addresses related to their accounts. Personal code, emails, passwords, usernames, or different private data have been inaccessible.

Free-for-all

The hacker gained administrative entry by acquiring an authentication key a Sourcegraph developer by chance included in a code revealed to a public Sourcegraph occasion hosted on Sourcegraph.com. After creating a traditional consumer Sourcegraph account, the hacker used the token to raise the account privileges to these of an administrator. The entry token appeared in a pull request posted on July 14, the consumer account was created on August 28, and the elevation to admin occurred on August 30.

“The malicious consumer, or somebody linked to them, created a proxy app permitting customers to instantly name Sourcegraph’s APIs and leverage the underlying LLM [large language model],” Comas wrote. “Customers have been instructed to create free Sourcegraph.com accounts, generate entry tokens, after which request the malicious consumer to vastly enhance their charge restrict. On August 30 (2023-08-30 13:25:54 UTC), the Sourcegraph safety group recognized the malicious site-admin consumer, revoked their entry, and kicked off an inner investigation for each mitigation and subsequent steps.”

The useful resource free-for-all generated a spike in calls to Sourcegraph programming interfaces, that are usually rate-limited without spending a dime accounts.

“The promise of free entry to Sourcegraph API prompted many to create accounts and begin utilizing the proxy app,” Comas wrote. “The app and directions on tips on how to use it shortly made its means throughout the net, producing near 2 million views. As extra customers found the proxy app, they created free Sourcegraph.com accounts, including their entry tokens, and accessing Sourcegraph APIs illegitimately.”

Sourcegraph personnel ultimately recognized the surge in exercise as “remoted and inorganic” and started investigating the trigger. Comas stated the corporate’s automated code evaluation and different inner management methods “didn’t catch the entry token being dedicated to the repository.” Comas didn’t elaborate.

The token gave customers the power to view, modify, or copy the uncovered knowledge, however Comas stated the investigation didn’t conclude if that really occurred. Whereas most knowledge was accessible for all paid and group customers, the variety of license keys uncovered was restricted to twenty.

The inadvertent posting by builders of personal credentials in publicly accessible code has been an issue plaguing on-line corporations for more than a decade. These credentials can embody non-public encryption keys, passwords, and authentication tokens. Within the age of publicly accessible code repositories like GitHub, credentials ought to by no means be included in commits. As a substitute, they need to be saved solely on restricted servers.