Wed | Mar 10, 2021 | 8:46 AM PST

If you find yourself logged out of GitHub today, there is actually a good reason why.

GitHub announced a security update due to a bug causing issues with the authentication of sessions.

Mike Hanley, GitHub's new CSO as of February 2021, shared why users may have been logged out of the platform:

"On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions.

On March 2, GitHub received an external report of anomalous behavior for their authenticated GitHub.com user session. Upon receiving the report, GitHub Security and Engineering immediately began investigating to understand the root cause, impact, and prevalence of this issue on GitHub.com. We took initial corrective action to patch the vulnerability on March 5 and continued our analysis throughout the weekend."

What happened with GitHub?

Hanley says that in extremely rare circumstances, there was a condition in a backend request handling process that could have misrouted a user's session to the browser of another authenticated user. This would give them the valid and authenticated session cookie for another user.

He also says that it is very important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs). And there is no evidence suggesting this was a result of compromised GitHub systems. 

Hanley claims that this issue was due to "rare and improper handling of authenticated sessions," and he adds that this could not have been caused or directed by a malicious user.

How did GitHub fix the issue?

Hanley continued on to share how the company fixed the issue that was only affecting a very small number of users:

"The underlying bug existed on GitHub.com for a cumulative period of less than two weeks at various times between February 8, 2021 and March 5, 2021. Once the root cause was identified and a fix developed, we immediately patched GitHub.com on March 5. A second patch was deployed on March 8 to implement additional measures to further harden our application from this type of bug. There is no indication that other GitHub.com properties or products were affected by this issue, including GitHub Enterprise Server. We believe that this session misrouting occurred in fewer than 0.001% of authenticated sessions on GitHub.com.

Out of an abundance of caution, and with a strong bias toward account security, we’ve invalidated all sessions on GitHub.com created prior to 12:03 UTC on March 8 to avoid even the remote possibility that undetected compromised sessions could still exist after the vulnerability was patched. For the very small population of accounts that we know to be affected by this issue, we've reached out with additional information and guidance."

GitHub CSO Mike Hanley takes security seriously

Mike Hanley was hired as GitHub's new CSO in February 2021. In a blog post last month, he wrote that he is devoted to the security of the platform as well as helping developers through security investments in building secure software.

"Making security easy and effective for everyone is close to my heart after five years building and leading the security program at Duo Security. My time there solidified for me that good security and the speed of the business are not opposing concepts when met with thoughtful design and a customer-centric approach. I believe that security done well allows us to go further, faster, and more confidently than ever before."

For more information about the GitHub authentication issue, you can read their blog here.

Comments