Large-Scale-Exploit of GitHub Repository Metadata and Preventive Measures

TL;DR

This paper demonstrates how publicly accessible GitHub metadata can be exploited to collect millions of email addresses for targeted phishing, highlighting the need for improved preventive measures and awareness among developers.

Contribution

The paper introduces a tool leveraging GitHub API to efficiently collect user emails and proposes preventive strategies to mitigate such exploits.

Findings

Millions of email addresses can be rapidly collected from GitHub metadata.

Existing countermeasures are ineffective against large-scale data harvesting.

Preventive measures and awareness are urgently needed to protect developer privacy.

Abstract

When working with Git, a popular version-control system, email addresses are part of the metadata for each individual commit. When those commits are pushed to remote hosting services like GitHub, those email addresses become visible not only to fellow developers, but also to malicious actors aiming to exploit them. As a part of our research we created a tool that leverages the publicly available GitHub API to collect user data. Analysis of this data not only gives access to millions of email addresses in very little time, but is also powerful and dense enough to create targeted phishing attacks posing a great threat to all GitHub users and their private, potentially sensitive data. Even worse, existing countermeasures fail to effectively protect against such exploits. As a consequence and main conclusion of this paper, we suggest multiple preventive measures that should be implemented as soon as possible. We also consider it the duty of both companies like GitHub and well informed software engineers to inform fellow developers about the risk of exposing private email addresses in Git commits published publicly.