Leaking of private emails?
A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta). I was compiling a list of repositories and pull requests to identify those with merge conflicts. At some point, while randomly checking some user profiles, I noticed email addresses appearing in the API that weren’t visible on the public profiles.
Take a random profile like the following. No email is shown publicly:
But query the API for the same user, using a token with no permissions, and it returns the email
{
"login": "clar*****",
...
"location": "Berlin, DE",
"email": "clar****@gmail.com",
...
}
Hacker One convo
I reported the issue to HackerOne on March 25, 2025. After 3 weeks or so, the ticket was closed as informative.
What is infuriating is that the investigator claims that they are unable to re-produce the issue. Given that I have provided my own API key, I am leaning more toward that they did not even try.
What Now?
Whether this is a bug or unintended exposure remains unclear. The API still leaks emails for select profiles, and HackerOne’s dismissal—despite documented evidence—leaves the issue unresolved.
Subscribe to the Newsletter
Get the latest posts from this blog delivered to your inbox. No spam.