It's well-explained and fairly presents the facts and GH's position. Based on the reaction here, it's clear many people are not aware of these footguns. If anything, the article is a public service.
Based on the comments, many have known since 2018. GitHub has made multiple statements about it.
It's been written about multiple times, and now truffle is reposting old content with a name like IDOR to try to invent a new vuln class that doesn't exist.
The title of the post is misleading, a specific set of repos leak data under specific circumstances - not every repo. The first two sentences of the post immediately downscope the claim made by the title.
Im guessing you didn't bother to check out thier YouTube.
This post is the only thing the OP has ever posted in 8 months, probably because it's truffle themselves. I stand by my statement, it's clickbait.
> Based on the comments, many have known since 2018. GitHub has made multiple statements about it.
And many more haven't known. It wouldn't be sitting on the front page with 1300+ upvotes otherwise. This is, effectively, not some ho-hum old news -- even if it was for you. And that's what so many are complaining about. The hypocrisy of violating POLA so blatantly and then shrugging it off, pointing to some explanation buried in the docs that they know damn well most people won't read, and saying "Hey the info is right there, on you if you didn't RTFM".
It's well-explained and fairly presents the facts and GH's position. Based on the reaction here, it's clear many people are not aware of these footguns. If anything, the article is a public service.