Show HN: GitLeak – A GitHub OSINT tool for emails, timezones, and activity
5 hours ago (gitleak.io)
I built GitLeak (https://gitleak.io) - a free OSINT tool for GitHub. It scans through user profiles to find leaked email addresses, commit timezones, git usernames, and commit time patterns.
The motivation: I consider myself reasonably security-conscious and have my email set to "private" on GitHub's web UI. However, while playing around with GitHub's API, I realized my personal email was still completely exposed. I built GitLeak to see how widespread this is.
How it works: The leak usually happens because of a disconnect between local Git settings and GitHub's web settings. While a user might hide their email on their GitHub profile, their local git config user.email is often set to a personal address. When they push a commit, that email is permanently baked into the commit metadata. GitLeak scrapes the .patch files appended to these commits, parsing out the rich metadata that allows for email extraction from otherwise "anonymous" accounts. It also maps out daily commit activity to infer the user's sleep patterns.
The tool is completely free to use. I recommend searching for your own GitHub username to see if your email address is private.
I'd love to hear your feedback, or let me know if you find anything surprising!
No comments yet
Contribute on Hacker News ↗