GitHub users are expressing mixed reactions to OSGINT, a tool designed to extract personal information from GitHub profiles, with particular concern over its ability to uncover email addresses that users may have intended to keep private.
OSGINT, developed by a user named Hippie, allows anyone to retrieve information about GitHub users by searching either a username or email address. While the tool primarily collects publicly available data like profile details, repository counts, and creation dates, its ability to extract email addresses from various sources has sparked privacy debates within the developer community.
Email Extraction Capabilities
The tool employs several methods to discover user emails, including scanning public commits, decoding GPG keys, and even spoofing commits to reveal associated email addresses. This comprehensive approach means OSGINT can often find email addresses that users might not realize are publicly accessible.
One user who tested the tool confirmed it accurately retrieved their profile information but noted it also collected emails from contributors to their repositories, potentially creating confusion about which emails actually belonged to the target user:
Pretty much spot on, except for the emails. The ones with username
zellynare correct; the others are people who've contributed changes to repos I created (I think).
OSGINT Features
- Find GitHub username from an email
- Find email from GitHub username (not always successful)
- Retrieve profile information including:
- Account creation date
- Public gists
- User ID
- Public PGP keys
- Public SSH keys
Email Discovery Methods
- Scanning all public commits for unhidden emails
- Decoding GPG keys to extract email information
- Querying GitHub user API
- Spoofing commits with target email to check commit history
Privacy and Utility Concerns
Community reactions highlight significant concerns about who benefits from such tools. Several users questioned whether OSGINT primarily serves legitimate security research purposes or simply enables spammers and recruiters to gather contact information more efficiently. One commenter directly asked, Who does this benefit besides spammers? while another lamented, Just as recruiters were stopping to spam me via GitHub...
Some developers pointed out that much of the information OSGINT collects is already visible on GitHub profile pages, with email addresses being the main exception. Others suggested simpler methods to access the same data, such as appending .patch to a commit URL.
Similar Tools in the Ecosystem
The discussion also revealed that OSGINT isn't unique in this space. Another service called RepoReach was mentioned as offering similar functionality, though users expressed additional concerns about that platform's lack of transparency regarding its privacy policy and requirement for registration.
As open-source intelligence (OSINT) tools become more accessible and powerful, the GitHub community continues to debate the balance between transparency, security research, and personal privacy. For developers concerned about their digital footprint, these discussions highlight the importance of understanding which personal information might be publicly accessible through their code contributions and profile details.
Some users have responded with humor, pointing to the practice of using pseudonyms rather than real names on GitHub, linking to profiles like elonmusk and donaldtrump as examples of how some users maintain privacy through anonymity rather than technical measures.
Reference: OSGINT