@brainopener discovered that information returned from the List your repositories API sometimes returned entries that were not associated with the currently authenticated user. This API endpoint caches recent requests for one minute for performance reasons. The cache was accessed using a cache key composed of various pieces of information, including the user’s IP address and the HTTP basic authentication username used to authenticate to the API. However, when a user accesses the API using an OAuth token, the username component is not checked during authentication.
As a result, an attacker could make requests to the API using the username of another user, but using the OAuth token for their own user. If the other user had accessed the API endpoint in the last minute, and the attacker’s request orginated from the same IP address, the cache key would match and the repository list for the other user would be returned to the attacker.
This attack did not allow any additional read or write access to repository contents. GitHub addressed this issue by modifying the cache key to only include data from the authenticated user.