Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
GitHub employees implemented a major code exploit in less than six hours last month. Wiz research is used AI models to uncover GitHub’s internal git security vulnerability that could have allowed attackers to access millions of public and private databases.
“Our security team immediately began verifying the bug bounty report. Within 40 minutes, we had recreated the vulnerability internally and confirmed its severity,” explains Alexis WalesaGitHub is the leader in information security. “This was a serious problem that needed immediate action.”
GitHub’s engineering team created a fix and deployed it less than an hour after identifying the root cause, protecting GitHub.com and GitHub Enterprise Server. “Within two hours we confirmed our findings, sent a fix to github.com, and started a forensic investigation that confirmed there was no fraud,” says Walesa. This means that the story was edited within six hours of the report from Wiz.
The threat was discovered “using AI,” according to Wiz. It’s not clear what kind of AI helped find the problem. “Obviously, this is one of the first problems discovered in closed binaries using AI, showing changes that are known for errors,” says Sagi Tzadik, a security researcher at Wiz.
Although GitHub’s quick response meant that a fix was made in a matter of hours, Wiz cautions that the missing vulnerability was “very easy to use,” despite the complexity of GitHub’s system. “Finding a bug of this quality and severity is rare, receiving one of the highest awards available in our Bug Bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions,” says Wales.
The discovery of a major vulnerability in GitHub comes after just a few days GitHub had a big problem which automatically returned previously compiled content (code images) to other users. GitHub was too other last week, in what is becoming increasingly important in the ministry. I reported last week in a press release about GitHub’s reliability last week, highlighting a GitHub employee who says “the company is collapsing, because of an outage that’s terrible and has damaged the company’s reputation… and because of the leadership.”
