Easy to masquerade as another github.com user


While setting up two github.com accounts on one machine, I discovered that it seems way too easy to pretend to be another github.com user.

I am using git bash locally and committing to repos based up on github.com. I can simply run the following command to configure repo specific settings: -

git config user.email "myColleague@work.com"

Hey presto, all futher commits come up with my work colleagues profile picture and even revealed his user name!

I did not change any credential settings so I know that I am using my github.com username and password to connect. But to all intense and purposes, I could write malicious code and he would get the blame.

So my two questions are: -

Why is this possible?

Is there a way of seeing the credentials that were used to push to github.com for each commit?

We do have accounts in the same organisation, but I am using a personal account to do this which has no relation to that organisation.



Yes, this is a consequence of how Git is designed. Anyone can author Git commits using any username or email address they choose. If those commits get pushed to GitHub, then it can appear that the GitHub account associated with that email address authored those commits. However, pushes are authenticated by GitHub user account credentials. Only people with write access to a repository can push commits to it, no matter who the commits appear to be from at a Git level. There is also the ability to sign commits with a digital signature so that they can be verified they were authored by the person they appear to be.

You can find out more details about how all of this works in our Support Pro-tips article, Why is my commit associated with the wrong person?

I hope that helps!