Security News > 2021 > March > GitHub bug briefly gave valid authenticated session cookies to wrong users

If you visit GitHub today you'll be asked to authenticate anew because the code collaboration locker has squished a bug that sometimes "Misrouted a user's session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user."

GitHub disclosed the problem today, explain that it could only happen under "Extremely rare circumstances" and "Occurred in fewer than 0.001% of authenticated sessions on GitHub.com."

The service knows which users' sessions were exposed by the flaw and says it has contacted them with guidance and additional information.

The confession post continues: "The underlying bug existed on GitHub.com for a cumulative period of less than two weeks at various times between February 8, 2021 and March 5, 2021.".

"Once the root cause was identified and a fix developed, we immediately patched GitHub.com on March 5. A second patch was deployed on March 8 to implement additional measures to further harden our application from this type of bug. There is no indication that other GitHub.com properties or products were affected by this issue, including GitHub Enterprise Server."

To make sure the big was squashed, GitHub says it "Invalidated all sessions created prior to 12:03 UTC on March 8 to avoid even the remote possibility that undetected compromised sessions could still exist after the vulnerability was patched."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/09/github_authentication_bug/