Vulnerability has the potential to expose users’ session cookies


GitHub users were forcibly signed out of their accounts yesterday (March 8) to protect against a security bug that could have exposed a user’s session cookies.

The maintainers of GitHub explained that they invalidated all authenticated sessions “out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability”, which it said affected a “small number” of users.

In a blog post, GitHub said that the vulnerability – a race condition in a backend request handling process – could have misrouted a user’s session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user.

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs),” the blog post reads.

It adds: “There is no evidence to suggest that this was the result of a compromise of any other GitHub systems. Instead, this issue was due to the rare and isolated improper handling of authenticated sessions.

“Further, this issue could not be intentionally triggered or directed by a malicious user.”

Suspicious behavior

The incident came after a user submitted a report of “anomalous” behavior on their GitHub account.

“Upon receiving the report, GitHub Security and Engineering immediately began investigating to understand the root cause, impact, and prevalence of this issue on GitHub.com,” the company said.


Read more of the latest security vulnerability news


“We took initial corrective action to patch the vulnerability on March 5 and continued our analysis throughout the weekend.”

The bug existed on GitHub between February 8 and March 5. It is believed that session misrouting occurred on less than 0.001% of sessions.

Any users affected by the issue will be contacted, said GitHub. All users can log back in and continue as normal.


YOU MAY ALSO LIKE Open source software repositories play ‘whack-a-mole’ as ‘dependency confusion’ copycats exceed 5,000