@h8rry discovered that email replies to issues or pull requests occassionaly disclosed a “mute the thread” token to other users. All email notifications for pull requests and issues contain a link to stop receiving further notifications. To simplify the user experience, these links included a unique token that allowed users to unsubscribe, even if they were not currently logged in to GitHub.com. However, because email clients include some of the original email in their reply, this token sometimes gets included in replies rendered on GitHub.com. An attacker could have used these links to mute a thread for another user.

We addressed the issue by ensuring the user making a request with the token is the same user the token was generated for (i.e. users must be logged in to click a “mute the thread” link going forward).