So long and short, Github got a report via their support team from a user who, while using GitHub.com logged in as their own user, was suddenly authenticated as another user. They immediately logged out, and reported the issue.
How we found and fixed a rare race condition in our session handling - The GitHub Blog
Threading is cited as the issue.
we identified a potential thread safety issue that could be triggered by functionality that was recently rearchitected to improve performance. One such performance improvement involved moving the logic to check a user’s enabled features into a background thread that refreshed on an interval rather than checking their enablement while the request was being processed. This change seemed to touch the right areas and the undefined behavior of this thread safety issue now made it the focus of our investigation.
The main application that handles most browser interactions on GitHub.com is a Ruby on Rails application and it was known to have components that were not written to run in multiple threads (i.e., are not thread-safe). Historically, the thread unsafe behavior could lead to an incorrect value being reported in an exception internally, but not to any user facing behavior change.
Threads were already used in other places in this application, but the new background thread produced a novel and unforeseen interaction with our exception handling routines. When exceptions were reported from a background thread, such as a query timeout, the error log would contain information from both the background thread and the currently running request, showing that the data was being pulled across threads.
We dont know what else is not thread-safe, the fact this got past QA and other checks, makes me think GitHub is all your eggs in one basket situation.
Ruby on Rails , or Rails , is a server-side web application framework written in Ruby under the MIT License
Ruby (programming language) - Wikipedia
Seems parts of Ruby might not have been thread safe until the last decade according to this post from 2011.
Does ruby have real multithreading? - Stack Overflow
So long and short is for a number of years, because I’m not convinced this is the only vector, an attack vector could have existed which could have affected other people’s code like Clarion code hosted on GitHub which in turns could become an attack vector into other programming languages like a game of Go.