Some John Doe just stole your data? Your Github source code is in use elsewhere without your consent? You have always wondered how your data and credentials got into the wrong hands.
I used to experience just the same when my IT research project leaked and ended up on GitHub without my permission. It took me weeks before all the copies were removed and delayed the official publication. So what do you have to do? Below is a detailed list of ways to avoid doxxing on Github.
Just imagine what it means when an anonymous character can access your details as though they were your employee without ever triggering any alarms. Sounds weird, right? Are you beginning to feel nervous?
How Does Doxxing on Github Happen?
Before learning how to avoid getting doxxed, perhaps you should know what exactly doxxing entails. Doxxing occurs when a malicious person collects your confidential data and information with intentions to post them online - either on a private forum or on a public platform.
In most circumstances, the objective is to torment the victim or make others harass them.
To justify the realities of doxxing on Github, here is a report about serious medical data breaches. Out of curiosity, Jelle Ursem, a Netherlands-based famous Security Researcher, wondered, “Hey — let’s see if somebody is actually stupid enough to upload medical customer data to GitHub.”
It only took him less than 10 minutes to discover that a lot of medical data had been uncovered on GitHub.
Another Github doxxing incident is the recently taken down abusive Sulli Bai app. The Diplomat reported that the app targeted Indian Muslim women for ‘auctioning.’ The victims’ details were stolen from social media. The cyberbullies used anonymous Twitter accounts to execute their malice.
Mostly, doxxing on Github occur because the software developers:
- Fail to make the login details configurable before uploading their code on the source code server. Instead, they embed the credentials as hard-code in their source code.
- Use public repositories rather than private.
- Avoid using 2FA authentication for the email accounts.
- Leave repositories rather than deleting when not needed anymore.
Doxxing on Github has several worst-case consequences, as aforementioned, but you have many ways to avoid this.
How Do You Avoid Getting Doxxed on Github?
Github is awesome. I love GitHub, and just like you and millions of other software developers, I use it daily. However, the power of GitHub also brings risks. That’s why it’s critical to reevaluate settings and comprehend how and where to execute better security for more promising results.
1. Use Secure Access and Authentication
With the Github typical login using the essential credentials- password and username- you expose your data to malicious attackers in public, especially the username. Cyberbullies are smart enough to social engineer you or the system to acquire information. Instead, use:
- unique password and username with 2FA authentication. We recommend using a password manager like Google Password Manager to create a unique, spontaneous password. More details here.
- PAT (Personal access token) especially when authenticating with the API because you can easily revoke access anytime. It is ideal when testing the API. Git password-based authentication removal made PAT usage more secure.
- an SSH/ HTTPS key. Though firewalls and proxy may decline to authorize SSH connections, you can operate on all GitHub repositories over SSH.
With or without a firewall or proxy, you can operate on all your GitHub repositories over HTTPS.
2. Use 2FA Authentication
You can avoid doxxing on the organization’s Github by securing authentication for members, billing managers, and collaborators. To minimize malice and bar malicious doxxers, ensure that your organization requires you to use 2FA authentication for your individual account. This security measure restricts organizational settings and repository access.
3. Restrict access to particular IP addresses
Configure your list of IP addresses allowed to connect to your organization. Wondering how? Just set the “IP allow list” configuration. This limits access to organizational assets.
This feature will help you avoid getting doxxed on GitHub by allowing you to add, enable, authorize, edit, and delete IP addresses list if need be. It will also save you from self doxxing by restricting access to prevent you from leaking your private data.
Note that you must use self-hosted runners when using an IP allow list and would correspondingly wish to use GitHub Actions. For further reading, see how to host your own runners.
4. Set your base permissions to none
Set the base permissions to none to enjoy the safest repository access. You will have to directly set permissions to repositories for each of them, depending on teams or users. But remember that if an admin to the repository authorizes member access, the access overrides base permissions.
So how do you avoid getting doxxed with this technique? Because base permissions allow no outside collaborators, data security is achieved.
5. Frequently Monitor Repository Access Permissions
This is a new Github feature. It lets you monitor individual repository access. To check access permissions to a particular repository, go to the repository settings, then open “Manage Access.”
This feature helps you prevent and possibly control doxxer(s) from accessing your repository and managing your organizational stuff.
6. Disable the Forking feature
The more the availability of repository forks, the harder it becomes to monitor individual fork security. This issue will exponentially grow as the number of repository forks increase. Doxxers usually target these forks to generate repository copies in your private account.
How fatal is that form of doxxing on GitHub? You understand that forking permits another developer to create an experimental repository copy on the source code without altering the original one. Thus the best option to avoid getting doxxed is to disable it altogether.
7. Inspect Your Audit Records
Your organizational GitHub settings allow you to review the audit log and inspect everything that occurred on the website. However, for maximum source code security, you are recommended to occasionally check your audit records to ensure that no fishy or abnormal actions occur.
8. Review GitHub Apps and Third-Party Access
Getting doxxed on GitHub is easier, especially if you ignore your basic account access. Fortunately, GitHub permits you to selectively allow access to third-party apps. To enjoy the feature, get to the organization’s Github settings and review “Installed Github Apps” and “Third-party access.”
Upon putting in place the above measures, you safeguard your source code and secure your individual and organization GitHub account. In addition, Github brings together enthusiastic global software developers. Yet, not all the users are honest.
Therefore, you can seldom miss getting doxxed on Github. Doxxers have several options to get your credentials and information. In equal measure, Github has in-built user-friendly features to safeguard you from doxxing. Thus, you only have to explore and take necessary action to minimize the chances of doxxing on Github.
However, if you didn't manage to avoid getting doxxed on GitHub, you can report GitHub abuse here.