Security disclosure: GitHub access token leak

[danielroe]

What happened

On Tuesday morning this week, I received an email disclosing a leak of a GitHub access token via nuxt.com. This token had wide access permissions including admin access to the nuxt GitHub organisation.

The token was leaked in the website payload due to a module, @nuxtlabs/github, which was misconfigured to set a private token on runtimeConfig.public.

What we did

We immediately shipped a patch to the module, which is available in v1.6.2.

Sébastien and I were also able to identify the individual who had created the token and ensure it was revoked.

We then reviewed audit logs for the nuxt organisation to confirm nothing malicious was done with the token. Our exposure is limited as Nuxt is an open-source project, and we are confident there was no malicious activity that could affect code we would subsequently distribute.

What you need to do

If you were using @nuxtlabs/github, please ensure you have updated to the latest version, and that you have revoked any tokens you used with the module previously. Past tokens may still be accessible from crawler caches.

Lessons learnt

This security issue was caused by two factors:

1. a module explicitly exposed a token on runtimeConfig.public
2. an unscoped personal access token was used (rather than one limited to public access or a fine-grained access token)

This underlines the importance of using tightly scoped access tokens and auditing the code of any modules that consume private tokens.