Security incident: Developer impostor

We recently faced a minor security incident at the OpenBazaar GitHub repository.

An attacker was able to briefly gain push access and make code changes that remained undetected for about one hour, by pretending to be a developer with contributor access who lost access to his normal account. The changes that the attacker made to the code were insignificant and were not related to security – they were mostly tests. Only the “develop” branch was affected, not the “master” branch. As our users run the “master” branch, we expect no users to be affected by this breach.

We reverted the code changes immediately and access rights were restored. We don’t expect anyone to be affected by this attack. As a response to the attack, we are on the process of developing more rigorous security policies which would require proper authentication for committer username changes. Our new policies will also include operational security requirements for existing developers. In response to the attack and in coordination with GitHub, we have ensured that the accounts of the attacker have been appropriately banned.

As part of our transparency commitment to our users, we are publishing this security incident so that people are aware of our potential problems and solutions.

Our full incident response post-mortem report is made available for the community to read.