Vulnerability introduction
GitHub is a very popular code hosting and version control platform. Many organizations and developers use it to host and share code. If GitHub's security measures are improper or users are not careful, it may cause GitHub information leakage. Here are some problems that may lead to Reasons for GitHub information leakage
- Access control: If users incorrectly set access controls for GitHub repositories, it may allow unauthorized users or bots to access sensitive information.
- Malicious attacks: Hackers can use various means, such as phishing attacks and social engineering attacks, to obtain the credentials of GitHub users and access their repositories
- Public repositories: If a user stores code in a public GitHub repository, others can view and download the code, including sensitive information such as passwords, API keys, and credentials.
- Code submission: If a user accidentally submits sensitive information to a GitHub repository, others can view the history of the sensitive information, even if the user later deletes the sensitive information from the repository.
exploit
Email information
smtp @qq.com
mtp @126.com
smtp @163.com
smtp @sina.com.cn
smtp @sina.com.cn password
For example: https://github.com/[email protected]&type=code
Data Connections
Script tool
Utilization tool: GSIL
Project address: https://github.com/FeeiCN/GSIL
Summary at the end of the article
Here are some common ways to fix GitHub information leaks:
- Information change: If sensitive information has been leaked, it is necessary to change the sensitive information and ensure that the new information will not be leaked again, for example: change passwords, API keys, database credentials, etc.
- Review the code: The code in the GitHub repository needs to be carefully reviewed to ensure that no other sensitive information has been exposed. Sensitive information like passwords and credentials can be found using GitHub’s search feature
- Access permissions: If a user accidentally sets a GitHub repository to public access, the public access permissions need to be removed immediately to prevent further information leakage. You can use GitHub's access control feature to change the access permissions of the repository, or change the repository to private
- Undo a commit: If sensitive information has been submitted to the GitHub repository, you can use GitHub's undo commit function to undo the commit and delete the sensitive information. The specific operation is to use the Git command line or the GitHub web interface to undo the commit and force push to the GitHub repository to overwrite it. Submitted history