@rohit-dua discovered that a user’s private Atom feed access token could be leaked to third parties via the Referer header when visiting outbound links. This issue only affected a small subset of users because most feed readers will send their own domain as the referrer or no referrer at all. However, in some scenarios, such as visiting the feed directly in a web browser that auto-renders Atom feeds, the referrer would leak the private access token. We addressed the vulnerability by adding a ‘noreferrer’ link relation to outbound links.
@rohit-dua discovered a way to sign up for a paid organization plan without providing billing information. When a user creates an organization they can either choose a paid plan for unlimited private repositories or a free plan for unlimited public repositories. When a user chooses a paid plan, we collect billing information before creating the organization. However, @rohit-dua observed that you could submit the form for a free plan, but change the plan type to a paid plan, without providing any billing details. This could have allowed an attacker to create an organization with a paid plan without being charged for the duration of the plan (monthly or yearly).
We addressed the vulnerability by validating the billing information before setting the newly created organization’s plan type.