GitHub reported resetting all authenticated sessions to GitHub.com and needing to reconnect to the service due to a security issue. It is noted that the problem is very rare and affects only a small number of sessions, but is potentially very dangerous, as it allows one authenticated user to access another user's session.
The vulnerability is caused by a race condition in the processing of requests by the backend and leads to the routing of a user session to another user's browser, which allows full access to someone else's session cookie. It is estimated that a bad redirect affected about 0.001% of all authenticated sessions on GitHub.com. It is argued that such redirection occurred due to a random combination of circumstances that cannot be deliberately caused by the actions of an attacker. The problematic changes were made on February 8 and fixed on March 5. On March 8, additional checks were added with more general protection against this type of error.
Source: opennet.ru