[smarx007]

I just got it as well and don't understand what I can do. Can I somehow force all generated tokens to be revoked and get apps to generate new tokens to be on the safe side? Or, rather, is there a way to do this without uninstalling the apps and installing them again?

[nrmitchi]

>Each of these tokens are valid for up to 1 hour.

> GitHub quickly fixed the issue and established that this bug was recently introduced, existing for approximately 5 days between 2022-02-25 18:28 UTC and 2022-03-02 20:47 UTC.

It doesn't sound like there is anything you can or need to do with respect to these tokens (whether they were used to take action with elevated permissions is a different thing, but it doesn't sound like that was the case either)

[dundarious]

It seems like the appropriate thing to do would be to inform anyone who had tokens created during the affected time period, so they could assess if any of the permissions led to undesired changes. Instead of GitHub saying “we don’t have hard proof of anything bad happening” and waiting 3 months, just give the customer the time of relevant token creations.

[smarx007]

The email listed the apps that issued tokens in the specified time window. If your notification email listed 0 apps, it means no apps created tokens during the time window in question (I got 1 app listed). I only missed that those tokens had 1h lifetime.

[dundarious]

Listing token times instead of just apps, and doing so nearer the actual time instead of 3 months later, are the key parts of my suggestion.

[onphonenow]

Aren't these very time limited anyways (hours vs days)? So once they fix the bug and wait an hour the old tokens are gone anyways?

[mynameisvlad]

Per the email:

> Each of these tokens are valid for up to 1 hour.

So these tokens would've been expired for 3 months now, according to when the fix was deployed.

[bastardoperator]

You could revoke the pem that generated these tokens, but as others have pointed out the tokens in question are only valid for 60 minutes at maximum.