GitHub Fixed a Bug impacting Authenticated Sessions
GitHub automatically logged out many users of its platform by invalidating their GitHub.com sessions.
Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability.
The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user’s login session to the web browser of another logged-in user, pointing to the latter an authenticated session cookie and access to the former user’s account.
What happened?
Starting yesterday GitHub signed out all users that were logged in before March 8th. The precaution was taken a week after the company had received an initial report of suspicious behavior, from an external party.
On March 2, GitHub received an external report of anomalous behaviour for their authenticated GitHub.com user session.
Upon receiving the report, GitHub Security and Engineering immediately began investigations trying to get to the root cause, impact, and prevalence of this issue on GitHub.com.
On Friday, the GitHub team has remediated the security flaw and continued to analyze in-depth the situation over the weekend. The vulnerability in question could be exploited in extremely rare circumstances when a race condition would occur during the backend request handling process, allowing the session cookie of a logged-in GitHub user to be sent to the browser of another user, giving the latter access to the former user’s account.
“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems.”
“Instead, this issue was due to the rare and isolated improper handling of authenticated sessions.”
“Further, this issue could not be intentionally triggered or directed by a malicious user,” says Mike Hanley, Chief Security Officer at GitHub.
The vulnerability was discovered and fixed rapidly
The company declared that the bug existed on GitHub.com for less than two weeks and it does not look like any other GitHub.com assets or products were impacted as a result of this bug.
“We believe that this session misrouting occurred in less than 0.001% of authenticated sessions on GitHub.com.”
“For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance,” continues Hanley in the announcement.
The company is still analyzing if any project repositories or source code were tampered with as a result of this vulnerability as this type of authentication vulnerabilities could pave the way for software supply-chain attacks.
why can’t you control the timeout of a user’s session?