@avlidienbrunn reported an issue where certain GitHub.com endpoints could serve a response that would be interpreted by Adobe Reader as a PDF file when embedded on an attacker’s domain. Because Adobe products do not respect the same-origin policy or the X-Content-Type-Options header, the PDF calculator APIs implemented by Adobe Reader could be used to make authenticated HTTP requests to GitHub.com. This could be exploited to disclose the authenticated user’s data to the attacker’s domain.

This vulnerability is mitigated by the fact that a user needs to make significant configuration changes to use Adobe Reader in modern browsers for inline rendering of PDFs. Other PDF renderers are not affected by this vulnerability.

While the underlying vulnerability lies with Adobe Reader, we mitigated the issue by stripping bytes matching PDF file headers from affected endpoints. We are also continuing our effort to move user-provided content to the sessionless githubusercontent.com domain.

We strongly discourage using Adobe Reader. Google Chrome, FireFox, and Safari have built-in PDF renderers that are not vulnerable to this style of attack.

The ability to use PDF for this style of attack was originally identified by Alex Inführ in this blogpost.