undefined | Better HN

0 pointscaptn3m01y ago0 comments

GitHub uses fairly long-lived sessions. "sudo mode"[0] on GitHub, where it asks for a verification of the 2FA is only for sensitive actions, which PR merges are not. So a cookie-stealing attack can easily merge PRs for quite a while.

And 2FA isn't a requirement for a PR merge afaik, Except via org-wide enforcement? So the guarantee is lower - the commit was merged with a valid session token.

[0]: https://docs.github.com/en/authentication/keeping-your-accou...

0 comments

the_mitsuhiko1y ago

If you enforce an organization to have a 2FA sign-in then yes, it's enforced that the session was created with a second factor. In Sentry's case you also need to go through SSO once every 24 hours. There is no way for you to get a valid session token without going through that which can be used to create a signed merge commit.

j / k navigate · click thread line to collapse

0 comments

the_mitsuhiko1y ago

j / k navigate · click thread line to collapse