GitHub fixes bug causing users to log into other accounts

Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability.

Earlier this month GitHub had received a report of anomalous behavior from an external party.

The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account.

GitHub logs out users automatically due to a bug

As of yesterday, GitHub signed out all users that were logged in prior to March 8th, 12:03 UTC.

This step was taken almost a week after the company had received an initial report of suspicious behavior on GitHub.com, from an external party.

"On March 2, GitHub received an external report of anomalous behavior for their authenticated GitHub.com user session."

"Upon receiving the report, GitHub Security and Engineering immediately began investigating to understand the root cause, impact, and prevalence of this issue on GitHub.com," reads a security announcement from the company.

On Friday, March 5th, GitHub teams remediated the security flaw and continued with the analysis over the weekend.

Further, invalidating all the sessions last night was the final step taken to patch the bug.

The vulnerability, according to GitHub, could be exploited in extremely rare circumstances when a race condition would occur during the backend request handling process.

In such a case, the session cookie of a logged-in GitHub user would be sent to the browser of another user, giving the latter access to the former user's account.

"It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems."

"Instead, this issue was due to the rare and isolated improper handling of authenticated sessions."

"Further, this issue could not be intentionally triggered or directed by a malicious user," says Mike Hanley, Chief Security Officer at GitHub.

Fewer than 0.001% of sessions affected

The company states that the underlying bug was present on GitHub.com for a cumulative period of under two weeks at certain points in time between February 8th and March 5th, 2021.

After the initial cause was identified and fixed by March 5th, the company issued a second patch on March 8th to further strengthen the security of the website.

This is what caused GitHub to invalidate all logged-in sessions active prior to midday March 8th.

There is no evidence that other GitHub.com assets or products such as GitHub Enterprise Server were impacted as a result of this bug.

"We believe that this session misrouting occurred in fewer than 0.001% of authenticated sessions on GitHub.com."

"For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance," continues Hanley in the announcement.

Although we are yet to confirm the full extent of the impact of this bug, the 0.001% of authenticated sessions estimate could mean over tens of thousands of accounts, considering GitHub gets over 32 million active visitors (authenticated or not) in a month.

Additionally, the company is yet to comment on if any of the project repositories or source code were tampered with as a result of this vulnerability.

Authentication vulnerabilities like these if exploited by adversaries can pave the way for covert software supply-chain attacks.

BleepingComputer reached out to GitHub for comment before publishing and we are awaiting their response.