GitHub was forced to log out some of its users to protect others against a potentially serious security flaw.
According to a GitHub blog post on March 8, it invalidated all authenticated sessions on GitHub “out of an abundance of caution” to protect users.
Earlier in the month, GitHub received an external report of anomalous behavior for their authenticated GitHub user session. Once GitHub received the report, its security and engineering teams began to investigate the bug’s cause and impact.
GitHub found the bug was due to a rare condition in a backend request handling process that could have misrouted a user’s session to a different authenticated user’s browser, giving them another user’s valid and authenticated session cookie.
GitHub said the problem wasn’t the result of compromised account passwords, SSH keys, or personal access tokens (PATs), and there’s no evidence to suggest this was the result of a compromise of any other GitHub systems.
“Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user,” said Mike Hanley, CSO at GitHub.
He added that the underlying bug existed on GitHub for a cumulative period of fewer than two weeks at various times between February 8 and March 5.
“Once the root cause was identified and a fix developed, we immediately patched GitHub.com on March 5. A second patch was deployed on March 8 to implement additional measures to further harden our application from this type of bug,” added Hanley.
He said that there was no indication the bug affected any other GitHub properties or products, including GitHub Enterprise Server, and added the session misrouting occurred in fewer than 0.001% of authenticated sessions on GitHub.
Hanley said for the few users who the bug affected, GitHub has contacted them with additional information and guidance. He added that users should now log back in and follow the company’s security best practices for users and organizations.
GitHub promised to share the findings of its investigations and the issue’s root cause analysis “in the coming weeks.”
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Organizations urged to act fast after GitHub Action supply chain attackNews More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
-
Nearly a million devices were infected in a huge GitHub malvertising campaignNews Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malwareNews Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
-
Malicious GitHub repositories target users with malwareNews Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
-
A leaked GitHub access token could have led to a catastrophic supply chain attackNews The GitHub access token with administrator level privileges could have been used to great effect by threat actors
-
Hackers have found yet another way to trick devs into downloading malware from GitHubNews Threat actors have developed a new way to covertly embed malicious files into legitimate repositories on both GitHub and GitLab using the comment section
-
Hackers are abusing GitHub's search function to spread malware
News Hackers are using the names of popular GitHub repositories to trick users into downloading malicious code, new research reveals.
-
Hackers take advantage of AI hallucinations to sneak malicious software packages onto enterprise repositoriesNews New research reveals a novel attack path where threat actors could leverage nonexistent open-source packages hallucinated by models to inject malware into enterprise repositories
