Hacker News

sdaac
Behaviour with GitHub's Email Resolver

At work, just noticed that in one of our private repo's contributors page, some strange user was being displayed. Knowing that it could be simply due to some e-mail appearing in the author's commit or within the very own commit message, I just went around looking for anything suspicious in the timeframe from where the commit mentioning this strange user apparently happened.

After some digging, I tracked down to some commit with the following snippet at the end "Co-authored-by: Copilot <[email protected]>". Well, it could be it, but would be very strange if that was the case. So, in my personal account, I created a private, separate repo and tested. A simple commit, arbitrary title, but with a commit message having the exact same string: "Co-authored-by: Copilot <[email protected]>".

Again, for this test, I didn't use Copilot to generate the commit or the actual "change", but rather just added this string to the message. The commit resolves that e-mail to the exact same strange user I saw in the collaborators list of the company's repo. It's resolving to this guy: github.com/00sadik-lab.

Can anyone confirm the same behaviour?


abhimsheja4 days ago

Multiple users have reported similar observation for both Public as well as Private repositories. And also for older commits.

- https://github.com/orgs/community/discussions/201499

vladdi4 days ago

Same thing I noticed yesterday on my company's repo. A colleague said it happens even on previous commits that used to say "authored by [user] and copilot", now they are "[user] and 00sadik-lab". We recently changed the repo from internal to private, not sure if that's related.

twosdai5 days ago

Github's email integration with security is not great. I found some bugs with management of repo's and email security and I would not be surprised if this is a bug that they have.

lieutanentt4 days ago

Noticed similar behaviour on a company repo

tested adding the string to a private repo but the guy doesn't pop up

sdaacop4 days ago

I see, and thanks for checking. (:

Yesterday, I didn't even thought of searching around in GitHub, but just did now. If you search for any public commits containing that string, you can see that the guy shows up, at the bottom of the cards in the search results.

gnabgib5 days ago

Please don't use HN to test your exploit

sdaacop5 days ago

It's not mine. I just stumbled across this thing. And I'm at least bringing attention to it.

twosdai5 days ago

Its literally called hackernews. They're talking about a bug they noticed and wanted to confirm if other people know about it.

hn-front (c) 2024 voximity
source