| Title | Description |
|---|---|
| Target | Learn how to prevent leaking your email address |
| Difficulty | Medium |
| Measure | Author email addresses |
| Threat | Email address is leaked via author email |
| Detect | Leaked email addresses |
| Prevent | Leaking email addresses |
| Stage | Commit |
| Known problems | This lab applies only to GitHub |
Leaking your email address that is connected to your GitHub account gives attacker possibility to forge for example PR request or Build failed emails which makes targeted phishing attack more dangerous.
Change the GitHub settings to protect your email addresses and rewrite the repository history to have different author.
In GitHub:
- Goto https://github.com/settings/emails
- Add more email addresses if you want
- Check keep my email addresses private
- Copy the
id+username@users.noreply.github.comfor further use
In local git:
- Use
git config user.email id+username@users.noreply.github.comto configure new email address for you - Use
git rebase -r --root --exec "git commit --amend --no-edit --reset-author"to rewrite the history of the branch (repeat for other branches) - Use
git push --forceto rewrite remote history
⚠⚠⚠ This will rewrite history of remote branch which will affect anyone else working with the repository ⚠⚠⚠
⚠⚠⚠ This will also hijack all commits to your name ⚠⚠⚠
- GitHub email settings: https://github.com/settings/emails
- Set your email address: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address
- History rewrite tool: https://github.com/newren/git-filter-repo/
- Git log pretty formats: https://git-scm.com/docs/pretty-formats
The solution was already in the steps. Use git log --pretty=format:"%h - %ae" or git shortlog --summary --numbered --email to verify.