

 Got an account on a site like Github? Hackers may know your e-mail address - martey
http://arstechnica.com/security/2013/07/got-an-account-on-a-site-like-github-hackers-may-know-your-e-mail-address/

======
Smerity
Singling out GitHub seems silly. If you're on GitHub, have a .gitconfig with
name + email, and you've made a commit, then that's all public.

If a site uses your Gravatar, game over: Gravatar's literally a raw MD5 of
your email with the aim to give you a globally identifiable avatar. That's
been known (documented!) for a long time and unlikely to be a surprise to many
of us here.

The only place this is likely to be an issue is when a site knows you but you
assume you're anonymous. If you're using a web service where you want to be
anonymous, connecting anything with your identity is a bad idea.

~~~
martey
> _The only place this is likely to be an issue is when a site knows you but
> you assume you 're anonymous. If you're using a web service where you want
> to be anonymous, connecting anything with your identity is a bad idea._

While I wish the article headline mentioned Gravatar as opposed to Github, I
think it is worth realizing that Github provides instructions to use a fake
email address in your .gitconfig to protect your privacy [1] while
simultaneously requiring you to provide a valid email address while setting up
your account. [2]

[1]: [https://help.github.com/articles/keeping-your-email-
address-...](https://help.github.com/articles/keeping-your-email-address-
private)

[2]: [https://help.github.com/articles/github-terms-of-
service#a-a...](https://help.github.com/articles/github-terms-of-
service#a-account-terms)

------
walesmd
Isn't this public knowledge? "Oh no! 'Hackers' have my oh-so-sacred email
address! Yeah, that thing on all of my sites, business cards, dozens of whois
records, resumes, speaker decks, the Dominoes online ordering system, and so
on... What shall I ever do?"

I'd seriously question their talent if they weren't able to find it.

~~~
warp
Yes, developers have known about this problem for years.

But Gravatar and sites using Gravatar are terrible at explaining these risks
to less technical users. Those users have an expectation of privacy when a
site claims they won't share their e-mail address with anyone. No one has told
them how incredibly easy it is to verify that their user account on one of the
sites they use is the same person as a user account on a different site.

------
cbhl
The article title is link bait. The article is about Gravatar, and GitHub only
matters because it utilizes Gravatar.

(Your email address may be visible in all sorts of other ways on GitHub, such
as when someone does git log on a public git repository.)

If you're worried about your Gravatar being matched to your inflammatory
(i.e., trolling) Hacker News or WordPress comments, you probably should be
using a separate email account and Tor and whatnot.

------
jff
My email address? Oh god no!

~~~
chrischen

       slawmaster at... that google email provider.
    
    

I managed to decode that after a few hours of brute forcing. You should apply
some stronger obfuscation methods.

------
thejosh
Doesn't github also store it in a json response?

~~~
cmelbye
Yes.
[https://api.github.com/users/mojombo](https://api.github.com/users/mojombo)

~~~
Aqua_Geek
IIRC, your email only comes back from the API if you've entered something into
the "Email (will be public)" field in your profile. They also allow you to use
a separate email for Gravatar.

------
zalew
the gravatar email recovery hack has been known for years, they are recycling
an old topic.

luckily my email isn't a secret as I publish it everywhere willingly.

~~~
jdubs
The problem is that since they know your email address, they can find your
email from leaked databases... Then try that password to own your repo...

~~~
zalew
what password?

~~~
asperous
Assuming:

* A hacker has a leaked database

* Your email and password are in this database

* Your public email is the same one used in the database

* Plain-text passwords are easy to extract from this leaked databases

* You use the same password and email combination other places

* Other places with that email/password don't use two-step authentication

Then if they have your email they can get your password and try it other
places

~~~
kintamanimatt
> You use the same password and email combination other places

This is the problem. Every password for every account you create should be
unique. Bonus points if you use a unique email alias for every account you
create too.

------
deadslow
Post something new.

