During a pre-release of GitHub.com’s SAML single sign-on feature provided to previous bounty hunters, @yasinS discovered that recovery codes for SAML authentication could be accessed by unauthorized users. These codes are redeemed by organization administrators in the situation when the configured SAML authentication service is unavailable. However, proper authorization checks were missing from this endpoint and the codes could be downloaded by unauthenticated users. This would allow a compromised organization administrator account to be able to access the organization without additional SAML authentication.
We fixed this issue by performing correct authorization checks on the recovery code download endpoint. Additionally, we audited other areas of our code where similar authorization checks were performed to ensure they were properly authenticated.