GitHub bug saw users logged into others users’ accounts

The Microsoft-owned firm invalidated all authenticated sessions “out of an abundance of caution”

GitHub was forced to log out some of its users to protect others against a potentially serious security flaw.

According to a GitHub blog post on March 8, it invalidated all authenticated sessions on GitHub “out of an abundance of caution” to protect users. 

Earlier in the month, GitHub received an external report of anomalous behavior for their authenticated GitHub user session. Once GitHub received the report, its security and engineering teams began to investigate the bug’s cause and impact.

GitHub found the bug was due to a rare condition in a backend request handling process that could have misrouted a user’s session to a different authenticated user’s browser, giving them another user’s valid and authenticated session cookie.

GitHub said the problem wasn’t the result of compromised account passwords, SSH keys, or personal access tokens (PATs), and there’s no evidence to suggest this was the result of a compromise of any other GitHub systems.

“Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user,” said Mike Hanley, CSO at GitHub.

He added that the underlying bug existed on GitHub for a cumulative period of fewer than two weeks at various times between February 8 and March 5. 

“Once the root cause was identified and a fix developed, we immediately patched GitHub.com on March 5. A second patch was deployed on March 8 to implement additional measures to further harden our application from this type of bug,” added Hanley.

He said that there was no indication the bug affected any other GitHub properties or products, including GitHub Enterprise Server, and added the session misrouting occurred in fewer than 0.001% of authenticated sessions on GitHub.

Hanley said for the few users who the bug affected, GitHub has contacted them with additional information and guidance. He added that users should now log back in and follow the company’s security best practices for users and organizations.

GitHub promised to share the findings of its investigations and the issue’s root cause analysis “in the coming weeks.”

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk of hacking
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk of hacking

13 Apr 2021
Cloud storage: How secure are Dropbox, OneDrive, Google Drive, and iCloud?
cloud security

Cloud storage: How secure are Dropbox, OneDrive, Google Drive, and iCloud?

13 Apr 2021
5G will accelerate cyber crime, predicts former White House CIO
5G

5G will accelerate cyber crime, predicts former White House CIO

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021