GitHub uses the email address associated with a GitHub account to link commits and other activity to a GitHub profile. When a user makes commits to public repos their email address is usually published in the commit and becomes publicly accessible, if you know where to look.
GitHub provide some instructions on how to prevent this from happening, but it seems that most GitHub users either don't know or don't care that their email address may be exposed.
Finding a GitHub user's email address is often as simple as looking at their recent events via the GitHub API.
Idea and text from Nick Drewe.
git clone https://github.com/GONZOsint/gitrecon.gitcd gitrecon/python3 -m pip install -r requirements.txt
token = '<Access token here>'
usage: gitrecon.py [-h] [-a] [-o] usernamepositional arguments: usernameoptional arguments: -h, --help show this help message and exit -a, --avatar download avatar pic -o, --output save output as json
- User ID
- Avatar url
- Gravatar ID
- Twitter username
- Created at
- Updated at
Search for leaked emails on commits
To avoid this type of leaks, certain configurations can be made on Github:
Settings url: https://github.com/settings/emails
- ✔️Keep my email addresses private
- ✔️Block command line pushes that expose my email