GitHub reported about resetting all authenticated sessions to GitHub.com and having to reconnect to the service due to a security issue. It is noted that the problem is very rare and affects only a small number of sessions, but is potentially very dangerous, since it allows one authenticated user to access another user’s session.
The vulnerability is caused by a race condition in the processing of requests by the backend and leads to the routing of the user’s session to the browser of another user, which allows you to get full access to someone else’s session cookie. An estimated roughly 0.001% of all authenticated sessions on GitHub.com were affected by incorrect redirects. It is argued that such a redirection occurred due to a coincidence of circumstances that could not be deliberately caused by the actions of an attacker. The problematic changes were posted on February 8 and fixed on March 5. On March 8, additional checks were added with more general protection against this type of error.