@mathiasbynens along with @tomvangoethem discovered that Gist could leak Referer headers for Gists containing certain user-content. This did not allow an attacker to disclose the private URLs of arbitrary Gists. We remediated this issue within modern browsers by adding support for the <meta name="referrer" content="never">
tag on private Gists.
Along with @tomvangoethem, @mathiasbynens discovered an Open Redirect vulnerability in GitHub.com. An attacker could have exploited this vulnerability to redirect users from GitHub.com to arbitrary sites. We have addressed this issue by improving our redirect URL checking.