GitHub on Monday said it had identified and fixed a rare vulnerability in some of its backend systems that could have rerouted a user’s authenticated session to another user’s browser. The company also invalidated all user sessions that were created before about noon UTC Monday as an added precaution, and said that the issue could not have been triggered intentionally by an attacker.
The vulnerability that caused the issue was a race condition in a request-handling process on GitHub’s backend infrastructure, and the company’s CSO, Mike Hanley, said that it existed at various times between Feb. 8 and March 5. A GitHub user had alerted the company to the issue on March 2, and the company’s security and engineering teams investigated it and eventually installed a fix for the race condition, which could have given one user the valid and authenticated session cookie for another user.
“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems. Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user,” Hanley said in a post Monday evening.
"This issue could not be intentionally triggered or directed by a malicious user."
“Out of an abundance of caution, and with a strong bias toward account security, we’ve invalidated all sessions on GitHub.com created prior to 12:03 UTC on March 8 to avoid even the remote possibility that undetected compromised sessions could still exist after the vulnerability was patched.”
Only a small number of users were ever actually affected by the issue, and GitHub has contacted them directly.
GitHub’s platform is used by tens of millions of developers to build hundreds of millions of software projects and is a significant part of the software supply chain in the United States and around the world. Hanley joined the company as CSO in late February and said that a top priority for him is ensuring that developers see evidence of the company’s commitment to security.
“Making sure that we have not just an investment but a visible investment in security is so important,” Hanley said in an interview with Decipher.