Security News > 2021 > March > GitHub bug caused users to login to other user accounts
Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability.
The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account.
As of yesterday, GitHub signed out all users that were logged in prior to March 8th, 12:03 UTC. This step was taken almost a week after the company had received an initial report of suspicious behavior on GitHub.com, from an external party.
"On March 2, GitHub received an external report of anomalous behavior for their authenticated GitHub.com user session."
In such a case, the session cookie of a logged-in GitHub user would be sent to the browser of another user, giving the latter access to the former user's account.
This is what caused GitHub to invalidate all logged-in sessions active prior to midday March 8th. There is no evidence that other GitHub.com assets or products such as GitHub Enterprise Server were impacted as a result of this bug.