GitHub Security – GitHub Leaks Auth Keys in ‘Comment Left via Email Reply’

I've noticed that once I reply to github questions via email, the reply appears on the issue page with action links (as it should be), but it also has authorization keys.

Comment of an issue as seen in github:

[[Here is the text I replied by email]]
… [[<- Here is the clickable ellipsis link which, when clicked reveals the below]]

On Mon, Jan 7, 2019, 12:34 James ***@***.***> wrote:
 [[Here is the text I replied to]]

 —
 You are receiving this because you commented.
 Reply to this email directly, view it on GitHub
 <#25?email_source=notifications&email_token=JVIDJRSLJNC#issuecomment-123456789>,
 or mute the thread
 <https://github.com/notifications/unsubscribe-auth/LKJRNVSFGDFH>

Is my account now compromised in any way (e.g. a third-party can unsubscribe me from a thread)?

Everything is safe.

I've contacted GitHub support about this, and this is their answer:

I've confirmed with our notifications team that the email_token parameter is not sensitive nor poses any security risk. The token is just used for tracking clicks in our notification emails.

I've opened an issue with our team to see if we can tidy these email replies up a bit as I can understand seeing a "token" inserted into comments is worrying!

GitHub Security – GitHub Leaks Auth Keys in ‘Comment Left via Email Reply’

Best Answer

Everything is safe.

Related Topic

Best Answer

Everything is safe.

Related Solutions

GitHub – How to Create a Folder via Web Interface

Stop receiving GitHub notifications

Related Topic