1,400 pts
@homakov discovered OAuth access tokens for Gist had excessive scope. We have addressed this issue by limiting Gist’s OAuth scope to only public profile information.
This vulnerability has received extra points due to its severity when combined with other reported vulnerabilities.
100 pts
@homakov notified us that usage of Facebook Connect on Speaker Deck made the application succeptible to account hijacking. This relied on a wontfix issue in Facebook Connect that @homakov has blogged about here. Given that this vulnerability was with Facebook Connect, we decided to completely remove third-party authentication for Speaker Deck.
1,800 pts
@homakov discovered that Referer headers could be leaked through cross-origin image requests. In combination with a previously reported vulnerability in our OAuth redirect URI path parsing, this could lead to the disclosure of sensitive information passed to Gist on OAuth redirects. We remediated this issue by making more robust checks when rewriting links to our image proxy. In addition, the rel attribute is set to noreferrer on all links in a Gist. Previously, this was set only for Gists marked as private.
This vulnerability has received extra points due to its severity when combined with other reported vulnerabilities.
1,800 pts
@homakov discovered that the session cookie stored for Gist contained sensitive authentication data. We have addressed this issue by removing this data from the cookie and revoking all Gist authentication tokens that could have been exposed.
This vulnerability has received extra points due to its severity when combined with other reported vulnerabilities.
650 pts
@homakov reported an XSS vulnerability in the sandbox domain we use for proxying images coming from non-HTTPS sources. By setting the Content-Type header value to image,text/html it would pass our content-type checks, which were only ensuring that the value started with image.
While this vulnerability existed in a sandbox domain, largely intended to mitigate the risk of serving user-supplied content, we still took the threat seriosuly. We addressed the behavior by strictly whitelisting the allowed values for the Content-Type header. We also moved the image proxy to a domain that is not a subdomain of GitHub.com.
