Finding the design flaw
While playing with the GitHub API querying different things, I had a light bulb go off. If you can query any GitHub user via API, and see their administrator access level, why would it not be feasible to piggyback the “Myspace Tom” KevinHock account that follows every GitHub user, get the list? At the end of the day, what’s the worst that could
We query the API for KevinHock’s account. Later we do this in a loop so that we can get around the only 100 records per page maximum. We’ll also need to add a sleep
because if you query the API too quickly, you’ll hit a rate limit and be locked out
We’ll do this about 10,000 times, with a self-limit set at 5-minute query intervals so that
we don’t get locked out. We use tee to be able to see the data pulled back as we write it to a file. Following, we’ll line up the data with grep around login, then remove an extraneous character with cut before sending the data over to xargs which will run curl on that user,
then send the logins through sed to fix the JSON formatting. Finally, we save it to github_admins.txt
Will show us (and a lot more):
In the end, you should have a .json file with all the administrators on GitHub saved to it.
I submitted this for a bug bounty, but it didn’t qualify because they already knew about the
design flaw and considered it low-risk. Please don’t use this maliciously, it is for
informational purposes only. View the full file: here.