When a user verifies a Github account at /edit/elsewhere
the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable.
Consider the scenario.
This can enable impersonation.
I suspect the issue is caused in this function:
https://github.com/liberapay/liberapay.com/blob/master/liberapay/elsewhere/_base.py#L266
I haven't set up my own instance to see if GitHub is indeed going through the username path but in practice I was able to set up 2 accounts as described. Change the name of the attacker to something else and then import a different account's repos as my own.
Regards,
Frans