@bwoebi and @kelunik discovered that when GitHub.com set a cookie on a cross-domain redirect response, the Safari browser would set that cookie on the domain that was being redirected to, instead of on GitHub.com. This resulted in the GitHub session cookies of Safari users being sent to various third parties.

We mitigated this vulnerability by not setting cookies on redirect responses. After this mitigation was in place, we revoked all active Safari sessions to invalidate any leaked session cookies. This Safari vulnerability was given the Common Vulnerabilities and Exposures identifier CVE-2015-1089 and was fixed by Apple in OS X v10.10.3.