{"id":45775,"date":"2018-07-24T20:06:20","date_gmt":"2018-07-24T20:06:20","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/devops\/?p=45775"},"modified":"2019-02-14T15:48:47","modified_gmt":"2019-02-14T23:48:47","slug":"enabling-administrators-to-revoke-vsts-access-tokens","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/enabling-administrators-to-revoke-vsts-access-tokens\/","title":{"rendered":"Enabling administrators to revoke VSTS access tokens"},"content":{"rendered":"<p>As promised in the\u00a0<a href=\"https:\/\/blogs.msdn.microsoft.com\/devops\/2018\/07\/18\/protecting-our-users-from-the-npm-eslint-package-breach\/\">Protecting our users from the ESLint NPM package breach<\/a> blog post last week, we have deployed\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/rest\/api\/vsts\/tokenadmin\/?view=vsts-rest-5.0\">new REST APIs<\/a> to allow administrators of Visual Studio Team Services (VSTS) accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts.<\/p>\n<p>We&#8217;ve reviewed our system telemetry and have found no evidence that user credentials were compromised, but out of an abundance of caution, we believe it\u2019s prudent to proactively revoke these tokens.\u00a0 As such, we recommend that VSTS administrators take immediate action and revoke any PAT and JWT tokens that can access VSTS Package Management features. To help with this, we have created a\u00a0<a href=\"https:\/\/github.com\/Microsoft\/vsts-script-samples\/tree\/master\/PowerShell\/TokenAdmin\">PowerShell script to automate calling the new REST API<\/a>\u00a0simply by passing a list of user principal names (UPNs).<\/p>\n<p>After you have successfully revoked affected PATs and JWTs, please communicate this to your users so they can recreate their tokens as needed.<\/p>\n<p><strong>Over the next week, we will email all VSTS account admins whose users\u00a0accessed NPM from VSTS in the last 12 months <\/strong>(If you don&#8217;t get an email, you are unaffected and no actions are required).\u00a0 <strong>On 3 August 2018\u00a0<\/strong><strong>we<\/strong> <strong>will revoke any potentially impacted tokens for these affected customers only.\u00a0 <\/strong>We hope this email notification provides VSTS administrators sufficient time to coordinate with their teams to rotate tokens, specifically those used to access VSTS package management features, to avoid any disruption, but also providing confidence that no user\u2019s tokens will be overlooked.<\/p>\n<h3><strong>Context on the security incident<\/strong><\/h3>\n<p>On 12 July 2018, malicious code was detected in two popular open-source NPM components, <strong>eslint-scope (version 3.7.2)<\/strong> and <strong>eslint-config-eslint (version 5.0.2)<\/strong>. As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This includes credentials required to access package feeds hosted in VSTS.<\/p>\n<p>In response to this incident, we have identified the VSTS users impacted by this and proactively revoked their access tokens as a precaution to protect their credentials. This action was taken on 16 July 2018. You can learn more about the ESLint incident by reading the <a href=\"https:\/\/eslint.org\/blog\/2018\/07\/postmortem-for-malicious-package-publishes\">post-mortem blog post by the ESLint team<\/a>.<\/p>\n<p>In addition to the known users impacted by this package, typical NPM usage patterns indicate the possibility that some users with VSTS credentials stored in their <strong>.npmrc<\/strong> file and who downloaded malicious packages directly from the public <strong>npmjs.org<\/strong> registry may experience potential credential compromise.<\/p>\n<h3><strong>Additional assistance<\/strong><\/h3>\n<p>If you have any questions or need assistance, please feel free to follow this process to create a free VSTS support case:<\/p>\n<ol>\n<li>Go to the VSTS support page at <a href=\"https:\/\/visualstudio.microsoft.com\/team-services\/support\">https:\/\/visualstudio.microsoft.com\/team-services\/support<\/a><\/li>\n<li>Scroll down to the \u201cContact us!\u201d Section and choose \u201cBasic Support\u201d<\/li>\n<li>Select \u201cIntegration and Extensibility\u201d for \u201cProblem Type\u201d<\/li>\n<li>Select \u201cREST API\u201d for \u201cCategory\u201d<\/li>\n<li>Click on \u201cStart Request\u201d<\/li>\n<li>Fill in your contact information and choose \u201cContinue\u201d<\/li>\n<li>For the \u201cIncident title\u201d, please be sure to add: \u201c<strong>Revoke tokens associated with ESLint malicious package<\/strong>\u201d<\/li>\n<li>Fill in your VSTS account URL<\/li>\n<li>Provide any additional details to better troubleshoot your issue<\/li>\n<li>Choose Submit<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>As promised in the\u00a0Protecting our users from the ESLint NPM package breach blog post last week, we have deployed\u00a0new REST APIs to allow administrators of Visual Studio Team Services (VSTS) accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts. We&#8217;ve reviewed our system telemetry and [&hellip;]<\/p>\n","protected":false},"author":174,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[228,1,251],"tags":[],"class_list":["post-45775","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-admin-licensing","category-devops","category-security"],"acf":[],"blog_post_summary":"<p>As promised in the\u00a0Protecting our users from the ESLint NPM package breach blog post last week, we have deployed\u00a0new REST APIs to allow administrators of Visual Studio Team Services (VSTS) accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts. We&#8217;ve reviewed our system telemetry and [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/45775","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/174"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=45775"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/45775\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=45775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=45775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=45775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}