GitHub bug briefly gave valid authenticated session cookies to wrong users

Don’t panic: Fewer than 0.001% of sessions compromised through flaw that couldn’t be maliciously triggered


If you visit GitHub today you’ll be asked to authenticate anew because the code collaboration locker has squished a bug that sometimes “misrouted a user’s session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user.”

GitHub disclosed the problem today, explain that it could only happen under “extremely rare circumstances” and “occurred in fewer than 0.001% of authenticated sessions on GitHub.com.”

The service knows which users’ sessions were exposed by the flaw and says it has contacted them with guidance and additional information.

The rest of us have been told: “It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” the outfit stated.

“Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.”

This issue could not be intentionally triggered or directed by a malicious user

The confession post continues: “The underlying bug existed on GitHub.com for a cumulative period of less than two weeks at various times between February 8, 2021 and March 5, 2021.”

“Once the root cause was identified and a fix developed, we immediately patched GitHub.com on March 5. A second patch was deployed on March 8 to implement additional measures to further harden our application from this type of bug. There is no indication that other GitHub.com properties or products were affected by this issue, including GitHub Enterprise Server.”

To make sure the big was squashed, GitHub says it “invalidated all sessions … created prior to 12:03 UTC on March 8 to avoid even the remote possibility that undetected compromised sessions could still exist after the vulnerability was patched.”

So now all you need to do is log back in to GitHub. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021