告诉HN:GitHub 可能泄露了你的 webhook 密钥。请检查你的邮件。
几分钟前收到了来自Github的邮件,要求我更换我的webhook密钥,相关内容如下:
<p><i>我们写信通知您,在2025年9月至2026年1月期间,您负责的webhook的密钥不小心包含在webhook交付的HTTP头中。这意味着在此期间接收webhook负载的任何系统都可能从请求头中记录了webhook密钥。webhook交付在传输过程中通过TLS加密,因此包含密钥的头部仅以base64编码格式对接收端点可访问。我们没有证据表明您的密钥被拦截。此问题已于2026年1月26日修复。请继续阅读以获取更多信息。</i></p>
<p><i>用户隐私和安全对于维护信任至关重要,我们希望在此类事件中保持尽可能的透明。GitHub本身并未因这一事件而遭遇安全漏洞或数据泄露。</i></p>
<p><i>发生了什么?</i></p>
<p><i>在2026年1月26日,GitHub发现了webhook交付平台新版本中的一个错误,该错误导致webhook密钥被包含在随webhook负载发送的`X-Github-Encoded-Secret` HTTP头中。这个头部并不应该成为交付的一部分,使得webhook密钥以base64编码格式对接收端点可用。webhook密钥用于验证交付确实来自GitHub,应该仅为GitHub和webhook所有者所知。</i></p>
<p><i>该错误仅限于一部分被标记为使用此新版本webhook平台的交付。该错误存在于2025年9月11日至2025年12月10日之间,以及在2026年1月5日短暂出现。该错误已于2026年1月26日修复。</i></p>
<p><i>涉及了哪些信息?</i></p>
<p><i>在该错误存在的窗口期间,每个受影响的webhook的密钥被包含在HTTP请求头中。webhook负载内容本身正常交付,并未受到额外影响。没有其他凭证或令牌受到影响。webhook交付在传输过程中通过TLS加密,因此包含密钥的头部仅对接收端点可访问。</i></p>
<p><i>如果接收系统记录了HTTP请求头,webhook密钥可能会出现在这些日志中。webhook密钥用于计算交付的`X-Hub-Signature-256` HMAC签名——如果被泄露,知道密钥的攻击者可以伪造webhook负载,使其看起来来自GitHub。</i></p>
查看原文
Got an email from Github a few minutes back asking me to rotate my webhook secrets, the relevant portions of it below.<p><i>We're writing to let you know that between September 2025 and January 2026, webhook secrets for webhooks you are responsible for were inadvertently included in an HTTP header on webhook deliveries. This means that any system receiving webhook payloads during this window could have logged the webhook secret from the request headers. Webhook deliveries are encrypted in transit via TLS, so the header containing the secret was only accessible to the receiving endpoint in a base64-encoded format. We have no evidence to suggest your secrets were intercepted. This issue was fixed on January 26, 2026. Please read on for more information.</i><p><i>User privacy and security are essential for maintaining trust, and we want to remain as transparent as possible about events like these. GitHub itself did not experience a compromise or data breach as a result of this event.</i><p><i>What happened?</i><p><i>On January 26, 2026, GitHub identified a bug in a new version of the webhook delivery platform where webhook secrets were included in an `X-Github-Encoded-Secret` HTTP header sent with webhook payloads. This header was not intended to be part of the delivery and made the webhook secret available to the receiving endpoint in a base64-encoded format. Webhook secrets are used to verify that deliveries are genuinely from GitHub, and should only be known to GitHub and the webhook owner.</i><p><i>The bug was limited to only a subset of webhook deliveries that were feature flagged to use this new version of the webhooks platform. The bug was present between September 11, 2025, and December 10, 2025, and briefly on January 5, 2026. The bug was fixed on January 26, 2026.</i><p><i>What information was involved?</i><p><i>The webhook secret for each affected webhook was included in HTTP request headers during the window that the bug was present. The webhook payload content itself was delivered normally and was not additionally affected. No other credentials or tokens were affected. Webhook deliveries are encrypted in transit via TLS, so the header containing the secret was only accessible to the receiving endpoint.</i><p><i>If the receiving system logged HTTP request headers, the webhook secret may be present in those logs. The webhook secret is used to compute the `X-Hub-Signature-256` HMAC signature on deliveries — if compromised, an attacker who knows the secret could forge webhook payloads to make them appear to come from GitHub.</i>