GitHub fixed a critical security flaw in under six hours

In short: GitHub says it fixed a severe security bug in less than six hours after researchers reported it.

What happened

GitHub rushed out a fix for a “critical remote code execution” bug, according to reporting by The Verge. Remote code execution means an attacker could trick a system into running their commands, like getting a building’s staff to hand over the keys and follow instructions.

The bug was found by Wiz Research through GitHub’s bug bounty program, which pays researchers for reporting security problems. Wiz said it used AI models to help uncover the issue in GitHub’s internal git infrastructure, the behind-the-scenes system that helps handle code updates.

GitHub chief information security officer Alexis Walesa said the company reproduced the problem within 40 minutes and confirmed it was serious. GitHub then identified the root cause and deployed a fix to protect both GitHub.com and GitHub Enterprise Server, which is a version companies can run for their own teams. Walesa also said GitHub started an investigation and found no sign the bug had been used to attack anyone.

Wiz warned that while this kind of bug is rare, it was “remarkably easy to exploit.” The researchers also said this may be one of the first times a critical bug was found in closed-source binaries using AI. Closed-source means the code is not publicly available, like a locked appliance that still has a hidden defect.

Why it matters

GitHub hosts millions of public and private software projects, including code used by businesses and governments. If a flaw like this were abused, attackers could potentially access or change important code, which can lead to wider problems for apps and online services people rely on every day.

Source: The Verge AI