[BreachExchange] GitHub bug briefly gave valid authenticated session cookies to wrong users

Destry Winant destry at riskbasedsecurity.com
Thu Mar 11 10:32:37 EST 2021


https://www.theregister.com/2021/03/09/github_authentication_bug/

If you visit GitHub today you’ll be asked to authenticate anew because
the code collaboration locker has squished a bug that sometimes
“misrouted a user’s session to the browser of another authenticated
user, giving them the valid and authenticated session cookie for
another user.”

GitHub disclosed the problem today, explain that it could only happen
under “extremely rare circumstances” and “occurred in fewer than
0.001% of authenticated sessions on GitHub.com.”

The service knows which users’ sessions were exposed by the flaw and
says it has contacted them with guidance and additional information.

The rest of us have been told: “It is important to note that this
issue was not the result of compromised account passwords, SSH keys,
or personal access tokens (PATs) and there is no evidence to suggest
that this was the result of a compromise of any other GitHub systems,”
the outfit stated.

“Instead, this issue was due to the rare and isolated improper
handling of authenticated sessions. Further, this issue could not be
intentionally triggered or directed by a malicious user.”

This issue could not be intentionally triggered or directed by a malicious user

The confession post continues: “The underlying bug existed on
GitHub.com for a cumulative period of less than two weeks at various
times between February 8, 2021 and March 5, 2021.”

“Once the root cause was identified and a fix developed, we
immediately patched GitHub.com on March 5. A second patch was deployed
on March 8 to implement additional measures to further harden our
application from this type of bug. There is no indication that other
GitHub.com properties or products were affected by this issue,
including GitHub Enterprise Server.”

To make sure the big was squashed, GitHub says it “invalidated all
sessions … created prior to 12:03 UTC on March 8 to avoid even the
remote possibility that undetected compromised sessions could still
exist after the vulnerability was patched.”

So now all you need to do is log back in to GitHub. ®


More information about the BreachExchange mailing list