GitHub Quirks

Cool GitHub Quirks that can help in investigating a GitHub repository.

Email Disclosure

Be sure to check multiple different commits and repositories. The user may be using their work email and accidentally use their private email address (which is better for us as the attacker than a work email), when pushing an update to a repository.

  1. Navigate to a Git Repository eg. https://github.com/sherlock-project/sherlock

  2. Go to the commits by clicking "2,136 commits" in top right

commits

  1. Click a persons commit. Eg: https://github.com/sherlock-project/sherlock/commit/b3360170e9a7e092ec36608378f593adf9347d2e

  2. Append a .patch at the end of the URL and note the users email address exposed!