GitHub fixed critical vulnerability in under six hours
GitHub also faced additional outages last week, adding to a growing trend for the platform
Last month, GitHub's team resolved a significant remote code execution issue in under six hours. Wiz Research utilised AI models to identify a flaw in GitHub’s in-house git setup, potentially allowing hackers to access numerous public and private code repositories.
“Our security team promptly started verifying the bug bounty submission. Within 40 minutes, we reproduced the issue internally and confirmed its seriousness,” explains Alexis Wales, GitHub's chief information security officer. “This was a crucial problem that demanded swift resolution.”
GitHub’s developers created a solution and rolled it out just over an hour after pinpointing the root cause, safeguarding both GitHub.com and GitHub Enterprise Server.
“In less than two hours, we had verified the issue, launched a fix to github.com, and initiated a forensic probe that found no exploitation had occurred,” Wales notes. This means the patch was in place within six hours of Wiz’s report.
According to Wiz, the problem was found “using AI.” However, the specific AI model used for this discovery is unspecified.
“Particularly, this is one of the first significant vulnerabilities identified in secret binaries using AI, indicating a new approach to detecting these flaws,” shares Sagi Tzadik, a security expert at Wiz.
Although GitHub’s quick action ensured a remedy was deployed rapidly, Wiz cautions that the rare vulnerability was “surprisingly simple to exploit,” despite the complexity of GitHub’s underlying systems.
“A finding of such magnitude and gravity is uncommon, earning one of the top rewards in our Bug Bounty initiative, and reminds us that highly impactful security research comes from adept researchers who pose the right questions,” adds Wales.
The uncovering of a critical vulnerability in GitHub comes shortly after GitHub experienced a significant outage that unexpectedly reverted previously merged code changes for some users.
GitHub also faced additional outages last week, adding to a growing trend for the platform.
Last week, I reported on staff worries regarding GitHub’s reliability, noting an employee's comment that “the company is falling apart, both with severe outages that have damaged the company’s reputation… and with a leadership exodus.”