Leaking of private emails?
A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta). I was compiling a list of repositories and pull requests to identify those with merge conflicts. At some point, while randomly checking some user profiles, I noticed email addresses appearing in the API that weren’t visible on the public profiles.
Take a random profile like the following. No email is shown publicly:
But query the API for the same user, using a token with no permissions, and it returns the email
{
"login": "clar*****",
...
"location": "Berlin, DE",
"email": "clar****@gmail.com",
...
}Hacker One convo
I reported the issue to HackerOne on March 25, 2025. After 3 weeks or so, the ticket was closed as informative.
What is infuriating is that the investigator claims that they are unable to re-produce the issue. Given that I have provided my own API key, I am leaning more toward that they did not even try.
What Now?
Whether this is a bug or unintended exposure remains unclear. The API still leaks emails for select profiles, and HackerOne’s dismissal—despite documented evidence—leaves the issue unresolved.