Hi [...], We’re writing to let you know that an independent bug bounty resea

1. Hi [...],
2.  
3. We’re writing to let you know that an independent bug bounty researcher recently reported a GitHub Actions bug that, in theory, could have allowed an unauthorized user to fork a public repository which uses Actions and perform a series of steps to edit the main branch or use the GITHUB_TOKEN to perform other unauthorized actions. This bug existed in a very brief window from February 4 to February 5, 2021.
4.  
5. You are receiving this email because you are an owner of one or more GitHub organizations or enterprises with a public repository using Actions, and you had protected and/or unprotected branches that were vulnerable to this bug.
6.  
7. Repos and workflows with unprotected branches: [...]
8.  
9. Repos and workflows with protected branches: [...]
10.  
11. There is currently no evidence to suggest this was the result of a compromise of GitHub or any of its systems; instead this was a recently introduced bug in GitHub Actions. Security, user privacy, and transparency are essential to maintain your trust; therefore, we are notifying you of this change, the steps we took, and additional steps we are taking to address this situation. Read on for more information.
12.  
13. * What happened? *
14.  
15. On February 4, 2021, an independent security researcher notified us of a bug in GitHub Actions that could allow an attacker to alter parent repository code or take certain actions using a GITHUB_TOKEN: https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
16.  
17. The GITHUB_TOKEN is revoked after the job is completed, and they expire after a default 60 minute timeout.
18.  
19. * Which repositories were involved? *
20.  
21. Any parent repository with Actions between February 4, 2021 at 18:42 UTC and February 5, 2021 at 13:35 UTC could have had their unprotected main branches edited or experienced misuse of the GITHUB_TOKEN.
22.  
23. * What GitHub is doing *
24.  
25. After learning of this bug on February 5, 2021, GitHub immediately corrected it, and unauthorized users could no longer make changes to your repositories or abuse the GITHUB_TOKEN. GitHub identified any repositories vulnerable during the bug window and contacted all affected organization owners. We are also performing an internal assessment to determine how we can better prevent this sort of bug in the future.
26.  
27. * What you can do *
28.  
29. For repositories listed above without branch protection, we recommend that you audit for both unwanted pull requests and abuse by the GITHUB_TOKEN.
30.  
31. 1. Assess commits made during the bug window, February 4,2021 18:42 UTC to February 5, 2021 13:35 UTC.
32. 2. Assess workflow files for unauthorized injection during the bug window.
33. 3. Assess pull_request_target and pull_request workflow runs, and examine those pull requests during the bug window to look for unauthorized activity. Ignore pull requests from known users with write permissions.
34. 4. Assess release history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window.
35. 5. Assess package history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window.
36.  
37. For repositories listed above with branch protection, we recommend that you audit for abuse by the GITHUB_TOKEN.
38.  
39. 1. Assess release history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window.
40. 2. Assess package history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window.
41.  
42. Feel free to reach out to us with any additional questions or concerns through this contact form: [...]
43.  
44. Thanks,
45. GitHub Support