5 comments

[ 0.18 ms ] story [ 31.8 ms ] thread
I took the basics of this to see what email addresses it really grabs:

https://gist.github.com/667651

I don't think it's as bad as the author thinks, given that the GitHub account settings page has "Email (publicly visible!)".

I've gone in and removed mine. I can't be certain but when I signed up (before it went fully public, I think) I don't remember it saying the e-mail would ever be visible (and I used the same unique e-mail address I use for all my Git work/commits). So it's well worth GitHub users double check what they have in their profile "just in case" they entered it at a time they though it'd be private.
They provide e-mail addresses over their regular web interface as well. That's why the e-mail field in the account settings says '(publicly visible!)'. This guy is not outing a dangerous, unknown vulnerability—he's just making it a little bit easier for people to behave like obnoxious asses.
It's a good way of getting your SMTP server blacklisted.
A little while back I got an email from someone using this feature to send out his résumé! Quite an ingenious use I thought, find all X developers near Y and send them a friendly form email customised using other details available from their account (like their name) with your résumé and contact information attached.