User signs up to try circleci for a private project of theirs. Grants read access to their private repos via github oauth
User also has many other private repos (company they work for, open source projects, forks, etc)
Could they have used the stored github credentials from circleci to clone every private repo in full the user had access to?
https://help.github.com/articles/managing-deploy-keys#deploy...
If the attacker has a bunch of tokens, could they have bulk downloaded source code before the oAuth stuff was revoked by Circle?
https://github.com/blog/1270-easier-builds-and-deployments-u...
Info have a Circle-CI deploy key per private repository (which I will revoke).
User signs up to try circleci for a private project of theirs. Grants read access to their private repos via github oauth
User also has many other private repos (company they work for, open source projects, forks, etc)
Could they have used the stored github credentials from circleci to clone every private repo in full the user had access to?