
GitHub OAuth Security Issue - explodingcamera
https://gist.github.com/explodingcamera/57013844da41feea4daa7dae0437d694
======
stock_toaster
explodingcamera, this gist would be much easier to read if you applied some
light formatting to it. Perhaps even as little as adding a '.md' file
extension to the gist "filename" would be sufficient to get word wrap.

~~~
taspeotis
Chrome wraps this [1] in the browser.

[1]
[https://gist.githubusercontent.com/explodingcamera/57013844d...](https://gist.githubusercontent.com/explodingcamera/57013844da41feea4daa7dae0437d694/raw/bfc1b877c2a02bd6d17c5fc88d1678a03bebc38e/Github%2520Security%2520Issue)

------
graystevens
My comments from the other thread:
[https://news.ycombinator.com/item?id=15963787](https://news.ycombinator.com/item?id=15963787)

Very interesting. I wonder if any private organisations setup a pseudo/canary
repositories, that when pulled triggered an alarm? Or simply contained some
monitored API keys or credentials to spot any activity/Insider threats.

Might be a neat idea for those businesses that are concerned about their
private repos (either cloud hosted or self hosted).

May have picked up if anyone was able to exploit this.

------
arkadiyt
Companies don't generally send out notifications like this for bug bounty
reports or pentesting engagements - kind of implies that they found it being
exploited in the wild.

------
lostmsu
Any relation to inability to trigger GCP build using public org repository?

