Open-source projects often leverage GitHub Actions for automated builds. This talk delves into a novel attack vector where I discovered a treasure trove of secrets – leaked access tokens – hidden within seemingly innocuous build artifacts, available for everyone to consume. These tokens encompassed various cloud services, interesting in their own right, but I aimed to achieve more: taking control over these open-source projects.
Finding hidden GitHub Actions tokens in these artifacts was the easy part, and I even managed to poison the projects’ artifacts and cache, but pushing malicious code into the repositories failed, as the ephemeral tokens created in each workflow run expired as soon as the job was finished. This presented a thrilling challenge: a race against time to steal and use these tokens before they vanish.
This session equips attackers with a novel attack path, revealing how to unearth sensitive data in build artifacts, craft a high-speed exploit to catch ephemeral tokens, and utilize them for swift attacks. In this talk, I’ll showcase real-world examples of popular open-source projects I got to breach, as well as projects maintained by high-profile organizations.