Need a little help from my friends

AJ ONeal (Home) coolaj86 at gmail.com
Fri Mar 22 18:09:34 MDT 2019


> I'm unclear on what actually happened here.  Did someone steal your
> credentials?  You say you deliberately closed the account.  I know
> github shouldn't be reusing usernames (and all the downstream security
> implications), but how does someone grabbing up your abandoned github
> username constitute some kind of attack or hijack?
>

I renamed my account coolaj86 -> solderjs.

That puts a redirect in place.

An account was created that prevents the coolaj86 -> solderjs redirect on
the main page.

It also disabled old redirects that already existed.

Someone having the account gives them the ability to create a project of
the same name as a previous project and hijack project redirects as well.

As of yet, no project repository redirects have been hijacked. Only the
main account redirect has been disrupted.

The only problem that the supposed attacker has caused directly is breaking
the redirect from my old username to my new username. What appears to be an
inadvertent result, due to how the platform works is breaking the old
redirects.

Since my username was very specific and not something that one would come
up with at random, my assumption is that unless it's actually GitHub
creating the dummy account in reaction to the March 6th attack, the person
creating the account is either generally reaping accounts with redirects (
i.e. iterating over lists such as this one
https://github.com/redox/top-github-users/blob/master/top-5K.csv - which I
am on ) or specifically targeting me for an attack on a project. Either
way, the intent is to be disruptive and opportunistic, and highly, highly
unlikely to be  an honest "oh, what a cool name that I've always wanted,
I'll just happen to sign up after this person *just* happened to rename
their account".


More information about the PLUG mailing list