hub should not leak local user account to github servers
When using hub for the first time it will automatically create an OAuth token. This gets logged into the security history viewable on the accounts profile under the line "oauth_authorization.create". This log line will be in the format of:
oauth_authorization.create – Personal access token (hub for user@hostname)
There is no reason to send the local unix account to Github servers, as local account username might be different from Github username, and as such private information (e.g. that identity could be used elsewhere by the user or might be one-off). This probably also violates computer privacy laws (e.g. GDPR) as only user's github account name/password/2fac shall be sufficient to access the service via the CLI. Finally this is not mentioned in the documentation at all, which means the user has no way of making an informed choice whether to use the CLI or not.
Tool should ask for a OAuth key "vanity name" to be submitted on first connection if the user wants to audit access logs instead of user@hostname.
zpuskas
All 2 comments
Interesting point; thank you. I agree that we probably shouldn't be sharing your computer's info without prompting. During login, we could ask the user to provide an identifiable label for this machine (or leave blank) instead.
mislav
on 19 Aug 2019
Fully agree with the issue report; I've just noticed (after having used hub for the first time) that hub leaked both my local user name and my (VPN-specific) hostname to github. Please don't do that. Thanks.
lersek
on 1 Nov 2019
Related issues
stsewd
·
4Comments
Kristinita
·
4Comments
jfritzbarnes
·
3Comments
dsifford
·
4Comments
segevfiner
·
4Comments
Most helpful comment
Fully agree with the issue report; I've just noticed (after having used
hubfor the first time) thathubleaked both my local user name and my (VPN-specific) hostname to github. Please don't do that. Thanks.