GitHub Bug Allow Account Take Over


 A vulnerability on GitHub, a popular platform for software developers, has allowed users to log into other users' accounts. According to GitHub , it was a 'race condition' in the backend that caused users to get a valid and authenticated session cookie from another user in very rare cases.


The platform states that the problem was not caused by compromised passwords, SSH keys or private access tokens. Also, no evidence was found that the situation was caused by compromised GitHub systems. "The problem stemmed from the improper handling of authenticated sessions," said Mike Hanley of GitHub.


The bug that caused a session cookie to reach the wrong user could not be deliberately caused by an attacker, notes Hanley. In total, the bug was present on GitHub for almost two weeks between February 8 and March 5 of this year. After discovery of the cause, a patch was rolled out on March 5, followed by a second patch on March 8 that should provide additional protection against such bugs.


Hanley states that less than 0.001 percent of authenticated sessions on GitHub.com are affected by the bug. As a precaution, GitHub has decided to invalidate all sessions on GitHub.com created before March 8th. Users of affected accounts have been notified by GiHub and provided with further information and advice. Soon GitHub says it will come up with a more extensive analysis of the cause.

Previous Post Next Post