Why did I get logged out of GitHub.com?

On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions.

On March 2, GitHub received an external report of anomalous behavior for their authenticated GitHub.com user session. Upon receiving the report, GitHub Security and Engineering immediately began investigating to understand the root cause, impact, and prevalence of this issue on GitHub.com. We took initial corrective action to patch the vulnerability on March 5 and continued our analysis throughout the weekend.

The patch to resolve the bug and session invalidation resolves the issue and you may log back in at any time.

What happened and what actions have we taken?

In extremely rare circumstances, a race condition in a backend request handling process could have misrouted a user’s session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user. It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems. Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.

#company #security #github