@adob reported an issue where an endpoint on GitHub.com could be tricked into serving content that Adobe Flash would interpret as a Flash movie. Flash will treat any file as a Flash movie, regardless of file extension or the values of the Content-Type or X-Content-Type-Options headers. A malicious website could host an embed tag with the src pointing to the vulnerable endpoint on GitHub.com. Even though the Flash movie would be loaded by the malicious site, Flash would allow the movie to make HTTPS requests to GitHub.com and to read the response, including any sensitive information such as CSRF tokens.

The only ways to prevent Flash from interpreting a resource as a Flash movie are to not allow user control of the first bytes of the response or to set the Content-Disposition header to attachment. We addressed the vulnerability by removing the feature that required the vulnerable endpoint.