IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub bug saw users logged into others users’ accounts

The Microsoft-owned firm invalidated all authenticated sessions “out of an abundance of caution”

GitHub was forced to log out some of its users to protect others against a potentially serious security flaw.

According to a GitHub blog post on March 8, it invalidated all authenticated sessions on GitHub “out of an abundance of caution” to protect users. 

Earlier in the month, GitHub received an external report of anomalous behavior for their authenticated GitHub user session. Once GitHub received the report, its security and engineering teams began to investigate the bug’s cause and impact.

GitHub found the bug was due to a rare condition in a backend request handling process that could have misrouted a user’s session to a different authenticated user’s browser, giving them another user’s valid and authenticated session cookie.

GitHub said the problem wasn’t the result of compromised account passwords, SSH keys, or personal access tokens (PATs), and there’s no evidence to suggest this was the result of a compromise of any other GitHub systems.

“Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user,” said Mike Hanley, CSO at GitHub.

He added that the underlying bug existed on GitHub for a cumulative period of fewer than two weeks at various times between February 8 and March 5. 

“Once the root cause was identified and a fix developed, we immediately patched GitHub.com on March 5. A second patch was deployed on March 8 to implement additional measures to further harden our application from this type of bug,” added Hanley.

He said that there was no indication the bug affected any other GitHub properties or products, including GitHub Enterprise Server, and added the session misrouting occurred in fewer than 0.001% of authenticated sessions on GitHub.

Hanley said for the few users who the bug affected, GitHub has contacted them with additional information and guidance. He added that users should now log back in and follow the company’s security best practices for users and organizations.

GitHub promised to share the findings of its investigations and the issue’s root cause analysis “in the coming weeks.”

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022