Per the abstract, it sounds like they just... scraped a bunch of email addresses out of the commits in a tree? Is that newsworthy? There's one sentence in there about "targetted phishing attacks", but nothing to back it up.
Please someone tell me this is more than just email address harvesting?
seems like it is just email address harvesting. counter measures linked in the article are just ways to more anonymize data, but I'm not sure why we want that. they even suggest not using a username to identify a user...
seems like this should be flagged for being clickbait/trying to induce fear
"email addresses are part of the metadata for each individual commit. When those commits are pushed to remote hosting services like GitHub, those email addresses become visible not only to fellow developers, but also to malicious actors aiming to exploit them."
Isn't this overblown a little bit? If it's part of the metadata and it's pushed to a public space, how is it a 'large-scale-exploit'? I might be ignorant of a few things here so would love to be corrected on this.
I agree it's a little overblown. But Github should really figure out quickly how to not expose emails like that.
I think many developers don't realize how accessible it is -- typically the email is set in some .git profile that you set up once, maybe not even in connection to github. It's not obvious that when you're using Github, your email from that file is being made public.
Also this is somewhat worse than your typical email leak because the email address can be tied to all the github activity, which in many cases includes a lot of professional activity. Targeted phishing (aka spearfishing) has a lot more to go off of.
If you haven't already I suggest you go to Your Github Settings > Emails and check "Keep my email addresses private" and "Block command line pushes that expose my email"
Are there any negative consequences to simply putting garbage in the email field rather than a dummy email address, whether on github or for git in general?
8 comments
[ 0.24 ms ] story [ 36.4 ms ] threadPlease someone tell me this is more than just email address harvesting?
seems like this should be flagged for being clickbait/trying to induce fear
Isn't this overblown a little bit? If it's part of the metadata and it's pushed to a public space, how is it a 'large-scale-exploit'? I might be ignorant of a few things here so would love to be corrected on this.
I think many developers don't realize how accessible it is -- typically the email is set in some .git profile that you set up once, maybe not even in connection to github. It's not obvious that when you're using Github, your email from that file is being made public.
Also this is somewhat worse than your typical email leak because the email address can be tied to all the github activity, which in many cases includes a lot of professional activity. Targeted phishing (aka spearfishing) has a lot more to go off of.
This is not noteworthy.