Github Oauth is tied to username at /edit/elsewhere instead of email
State Resolved (Closed)
Disclosed publicly 2018-12-02T16:42:41.425Z
Reported To
Weakness Improper Access Control - Generic

submitted a report to Liberapay .

When a user verifies a Github account at /edit/elsewhere the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable.

Consider the scenario.

  1. I create an account called ed-liberapay (something likely to be claimed in the future)
  2. Verify that I own that Github account on
  3. I go to my Github and update my username (this doesn't change anything on and Github won't redirect old links to the account to the new location)
  4. Eventually that account is claimed by Ed and he creates impressive repos.
  5. I go and import the repos into my account and pretend to own it.


This can enable impersonation.

I suspect the issue is caused in this function:

I haven't set up my own instance to see if GitHub is indeed going through the username path but in practice I was able to set up 2 accounts as described. Change the name of the attacker to something else and then import a different account's repos as my own.


  • 0 attachments:
Thank you for your submission! We have received your report and a security analyst will respond shortly.

edoverflow Activities::Comment
Hi @emitrani, Thank you for the report. We are currently reviewing the potential issue you described above. \- Ed

edoverflow Activities::BugTriaged
@karel_origin and I were able to reproduce this issue. We will mark this report as triaged and start discussing the security implications internally with the team. Thank you for your patience, @emitrani. \- Ed

changaco Activities::Comment
This vulnerability is difficult to exploit and only works for a limited amount of time, because we automatically refresh GitHub user data every 90 days. The following patch should prevent the impersonation completely, by checking the immutable user ID when fetching the repositories:

emitrani Activities::Comment
Hi @changaco, Checking the account id before importing will fix the scenario I describe but the link on the profile page will remain until token is refreshed or an invalid import attempt is made. Profile of a person can link to an empty GutHub profile or one claimed by someone else. Still this patch solve the most problematic importing someone else's repos issue. Best, Eray

karel_origin Activities::BugResolved
Thank you for reporting this issue to us!

changaco Activities::AgreedOnGoingPublic

emitrani Activities::AgreedOnGoingPublic
Small note to people reading this, If you look at how a bug you find is fixed you will become better hackers. Thanks to this report I learned about immutable account ids on GitHub.

emitrani Activities::ReportBecamePublic