Several applications implementing “Sign in with GitHub” have been found to be using a mutable identifier (username) to match external users to the internal user management system. This allows attackers to completely take over accounts whose GitHub username has changed.
If you changed your GitHub username (or a username on any other "Sign in with ..." provider), you should create a new account with your old username immediately. This will prevent attackers from claiming your old username and gaining access to the application in your name.
Those applications we found vulnerable to this issue have been contacted.
Using OAuth 2.0 or OpenID Connect for federated login is common practice, and many web apps allow you to “Sign in with X”. The vulnerability that was found applies specifically to applications that implement “Sign in with GitHub” and that rely on the username to match the GitHub user with the internal user. Here is what a vulnerable “Sign in with GitHub” looks like:
/userinfo, to access user information (emails, user id, username, …).
Since the username is mutable on GitHub (you can change your username), and not updated at the web application’s internal system, accounts that rename their GitHub username will be locked out of their account at the web app. If someone sets up a new account using the old GitHub username, it will look like it is the right user. The attacker will have access to the full account without limitations.
You can confirm that your/a web app is using a mutable identifier (e.g. username) to match the external (e.g. GitHub) user to the internal (e.g. MyApp) one with the following steps:
The following steps should be taken immediately:
Why disclose this publicly:
If you want to avoid similar mistakes, we - ORY - are developing the next-generation, open source identity infrastructure. You should check out our GitHub.