Hacker News new | past | comments | ask | show | jobs | submit login
sel1 30 days ago | hide | past | web | favorite

"email addresses are part of the metadata for each individual commit. When those commits are pushed to remote hosting services like GitHub, those email addresses become visible not only to fellow developers, but also to malicious actors aiming to exploit them."

Isn't this overblown a little bit? If it's part of the metadata and it's pushed to a public space, how is it a 'large-scale-exploit'? I might be ignorant of a few things here so would love to be corrected on this.

I agree it's a little overblown. But Github should really figure out quickly how to not expose emails like that.

I think many developers don't realize how accessible it is -- typically the email is set in some .git profile that you set up once, maybe not even in connection to github. It's not obvious that when you're using Github, your email from that file is being made public.

Also this is somewhat worse than your typical email leak because the email address can be tied to all the github activity, which in many cases includes a lot of professional activity. Targeted phishing (aka spearfishing) has a lot more to go off of.

If you haven't already I suggest you go to Your Github Settings > Emails and check "Keep my email addresses private" and "Block command line pushes that expose my email"

Are there any negative consequences to simply putting garbage in the email field rather than a dummy email address, whether on github or for git in general?

Per the abstract, it sounds like they just... scraped a bunch of email addresses out of the commits in a tree? Is that newsworthy? There's one sentence in there about "targetted phishing attacks", but nothing to back it up.

Please someone tell me this is more than just email address harvesting?

seems like it is just email address harvesting. counter measures linked in the article are just ways to more anonymize data, but I'm not sure why we want that. they even suggest not using a username to identify a user...

seems like this should be flagged for being clickbait/trying to induce fear

This reminds me of when HaveIBeenPwned errantly notified me that my explicitly-public-by-choice GitHub email address was "leaked" by GeekedIn.

This is not noteworthy.

Worth noting that GH Desktop will default git to the noreply email when going through initial setup.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact