Questionable use of GitHub APIs

Over-reacted to second hand info and misinterpreted docs.

I do think OAuth providers (like Github, Twitter, Facebook, etc...) should do more to discourage apps from requesting write access. It PARTICULARLY disturbs me that admin:public_key is even an option in Github's Scopes. So the potential for disasterous outcomes certainly exists when granting access to apps via Github's OAuth system, but provided that you carefully read what you're granting access to, it's not necessarily as bad a my original post (left intact below) made it out.

During a twitter conversation[1] this morning, I discovered that in order for an application to get something as simple as your name during a single-sign on, it has to ask for full user profile information. That's a bit scary by itself, but when asking for full profile information, it also has to ask for read and WRITE permissions.[2]

Yes, in order to use single-signon to a 3rd party site, I have to give that site the rights to modify my email address list. A malicious site might otentially insert an address they control, which for an account without 2-factor authentication, means an easy take-over, and subsequent ability to poison any repos you control.

In OSS development circles, we call this "worst case scenario". Well done, GitHub.

1 - https://twitter.com/SaraMG/status/614518376572936192 2 - https://developer.github.com/v3/oauth/#scopes

$ curl -i -H "Authorization: token REDACTED" https://api.github.com/user HTTP/1.1 200 OK Server: GitHub.com Date: Fri, 26 Jun 2015 20:03:31 GMT Content-Type: application/json; charset=utf-8 Content-Length: 1314 Status: 200 OK X-RateLimit-Limit: 5000 X-RateLimit-Remaining: 4997 X-RateLimit-Reset: 1435352611 Cache-Control: private, max-age=60, s-maxage=60 Last-Modified: Fri, 26 Jun 2015 19:01:08 GMT ETag: "23eb98773ce281d66227a26e6f608e1b" X-OAuth-Scopes: X-Accepted-OAuth-Scopes: Vary: Accept, Authorization, Cookie, X-GitHub-OTP X-GitHub-Media-Type: github.v3 X-XSS-Protection: 1; mode=block X-Frame-Options: deny Content-Security-Policy: default-src 'none' Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval Access-Control-Allow-Origin: * X-GitHub-Request-Id: AE6D3641:1224:245B86:558DB013 Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Content-Type-Options: nosniff Vary: Accept-Encoding X-Served-By: 065b43cd9674091fec48a221b420fbb3 { "login": "jasonrudolph", "id": 2988, "avatar_url": "https://avatars.githubusercontent.com/u/2988?v=3", "gravatar_id": "", "url": "https://api.github.com/users/jasonrudolph", "html_url": "https://github.com/jasonrudolph", "followers_url": "https://api.github.com/users/jasonrudolph/followers", "following_url": "https://api.github.com/users/jasonrudolph/following{/other_user}", "gists_url": "https://api.github.com/users/jasonrudolph/gists{/gist_id}", "starred_url": "https://api.github.com/users/jasonrudolph/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/jasonrudolph/subscriptions", "organizations_url": "https://api.github.com/users/jasonrudolph/orgs", "repos_url": "https://api.github.com/users/jasonrudolph/repos", "events_url": "https://api.github.com/users/jasonrudolph/events{/privacy}", "received_events_url": "https://api.github.com/users/jasonrudolph/received_events", "type": "User", "site_admin": true, "name": "Jason Rudolph", "company": "", "blog": "http://jasonrudolph.com", "location": "North Carolina, USA", "email": "", "hireable": false, "bio": null, "public_repos": 28, "public_gists": 27, "followers": 197, "following": 0, "created_at": "2008-03-13T15:02:53Z", "updated_at": "2015-06-26T19:01:08Z" }

sgolemon/gist:0e1ea13a16d21098e73f

jasonrudolph commented Jun 26, 2015

Uh oh!

sgolemon commented Jun 26, 2015

Uh oh!