Published on Feb 26, 2022 by Arpad Ray
Browsing through Git's own Git repository on GitHub, I noticed something very strange. Git was famously created by Linus Torvalds, already widely known for having created the Linux operating system. However GitHub shows the author of the first commit to the Git repo as "VanTudor".
After triple-checking the URL and the commit, my initial reaction was to doubt my memory. Maybe Linus had an early collaborator? A quick look at VanTudor's GitHub repositories puzzled me even further - I'd be surprised if someone involved in developing Git itself 17 years ago would have just a handful of front-end web projects on GitHub now.
I discovered after a bit of looking around online that I'm not the first to notice this. Someone wrote about the whole situation on Medium in November 2021: "The 1st commit of git/git no longer belongs to Linus Torvalds".
GitHub uses the email address of the Git commit to identify which (if any) GitHub user account is the author. We see this directly when viewing a commit on GitHub - it links straight to the user's profile - and I guess this would also appear in the user's activity feed, their contributions graph etc.
The problem is that GitHub makes this association even for unverified email addresses. In this case of course it really was Linus who made the first commit, but all it took was someone to add Linus's email address to their GitHub profile - without any verification - and now GitHub displays this person as the author instead.
Why are we still seeing this now? The Medium article includes GitHub's response:
The response doesn't address why they make this association even for unverified emails but concludes that this functionality is working as expected.
Of course GitHub already has a mechanism to verify emails, and I can't think of any benefit in ignoring it. If the email address isn't verified to belong to a GitHub account then they can simply present the author as it appears in the actual commit, they don't need to link it to a GitHub account at all.
To see if it's still possible to exploit this flaw I decided to adopt one of the easter egg commits I wrote about recently in the Go repo.
I created a new GitHub account called "Not Brian Kernighan" with the old email address from one of those commits,
Of course that email isn't verified, I'd be surprised if it's still accessible. Still, seemingly instantly, my test account is attributed as the author of one of the first commits in the golang/go repo.
Finally I should note that the proper way to verify committer identity is, as per GitHub's response, a cryptographic signature. We shouldn't trust that a commit was from a particular person unless it was signed, and we verify that signature.
However this still seems like a potentially dangerous (at best, misleading) issue which GitHub could resolve quite simply. Hopefully a little more publicity will encourage them to do so!
Update Feb 28 2022: I reported this to the GitHub security team via HackerOne thinking maybe the distinction of this applying to unverified emails had been overlooked in the previous resport. I received a response confirming that this is working as expected, even pointing me towards a note on their "Inelegible submissions" page.
"Any email address that is not already associated with an account on GitHub may be claimed and this will give commit attribution to the claiming user. While we allow this attribution without requiring email address verification, any disputes around emails on accounts can be resolved by contacting our support team."
I guess it's cheaper to field the occasional support tickets than it is to change this!
This post was originally titled "Identity theft on GitHub" - I've updated it to make it clearer.
One click, no signup required