While searching lately for new OSINT techniques on Github, I have found an old repository entitled “enumerate-github-users” by antnks.
Git commits usually contain the name and email address of their author. antnks observed that Github automatically resolves these emails to their associated Github accounts, if they exist. So he created a script to build commits spoofing arbitrary email addresses.
The technique was great, but antnks’ work was a proof-of-concept, not a tool suitable for production.
The main point was the understanding of the exact scope of this technique:
- Are private email detected?
- Does Github resolve secondary email addresses?
- Is the account owner notified?
Github resolves all the email addresses linked to an account, even if email is private, secondary or unverified. The account owner is not notified but fake repository appears in his board, because he becomes one of its contributors. It is therefore important that the existence of the repository is as short as possible.
email2github is a handy tool for day-to-day investigation. It implements users search and this fake commits technique. Accounts are first searched through users search, as this technique is less risky. The fake commits technique is used if users search does not yield anything.
I hope you will find it useful!
