Simon Willison’s Weblog

Subscribe

Thursday, 18th March 2021

How we found and fixed a rare race condition in our session handling. GitHub had a terrifying bug this month where a user reported suddenly being signed in as another user. This is a particularly great example of a security incident report, explaining how GitHub identified the underlying bug, what caused it and the steps they are taking to ensure bugs like that never happen in the future. The root cause was a convoluted sequence of events which could cause a Ruby Hash to be accidentally shared between two requests, caused as a result of a new background thread that was introduced as a performance optimization.

# 11:06 pm / github, security, threads

2021 » March

MTWTFSS
1234567
891011121314
15161718192021
22232425262728
293031