[entelarust]

Quick theoretical senario...

User signs up to try circleci for a private project of theirs. Grants read access to their private repos via github oauth

User also has many other private repos (company they work for, open source projects, forks, etc)

Could they have used the stored github credentials from circleci to clone every private repo in full the user had access to?

[xentronium]

Github has a feature to allow access to a singular repository via a key. It would be logical for CircleCI to use that feature, although I'm not sure they actually did.

https://help.github.com/articles/managing-deploy-keys#deploy...

[johnwards]

I'm pretty sure that Circle uses the oAuth api to checkout repos, the deploy key part on github they use for their deployment feature.

If the attacker has a bunch of tokens, could they have bulk downloaded source code before the oAuth stuff was revoked by Circle?

https://github.com/blog/1270-easier-builds-and-deployments-u...

[gravitronic]

They did not.

[j15e]

They did, Circle-CI client here.

Info have a Circle-CI deploy key per private repository (which I will revoke).

[hkdobrev]

In theory it is possible.