Open in app

Sign in

Write

Sign in

Git commits spoofing

Jacob Galam
3 min readMar 18, 2020

--

“Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.” Written on Git official site. Git is most popular version control system, but despite that Git allow you to make “commit” in the name of any user!.

What is even commit?

Commit is a way of tracking the changes in the project. Every commit have a message and user.

What you can do with commits spoofing?

Of course you can make changes in the name of any user name without their permission and validation, even if they not in the project at all!. You can also check if email is of any user.

What you need?

Git, Git project and the email of the user you want to spoof.

Example

I am going to make commit in the name of the user “jacopo-beschi” in my project. I can easily find his email in his bio on gitlab.

First change the config file email to his email.

git config --global user.email "intrip@gmail.com"

Make new commit, for example:

git commit -m "spoofing commit 1"

And that’s it!. now this user commit in my project!. Any user can see him commit in my project.

The first two commit are mine and the newest commit is our spoof one.

Project link: https://gitlab.com/JacobGalam/git_commit_spoofing

Check if email is of any user

you can check if any email is of any user.

git config --global user.email "email_we_want_to_check@..."
git commit -m "check user"

Now we can see the user in our commits, if there is any real user with that email…

you can “brute force” users emails or do “dictionary attack” to user we want his email.

What you can’t do?

You can’t commit to the user projects if your account doesn’t allow to.

You can’t change the name of the user. The only thing that matters is the email of the user.

Here I try to change the name of the user, but it does not work:

git config --global user.name "not real name"
git commit -m "fake name commit"

Fix in the future?

Commit in git is just metadata. You can set it to whatever you want. This is a necessary feature for distributed workflows, or any kind of workflow where one person may be committing on another person’s behalf.

Basically is a feature and not a vulnerability.

Spoofing
Git
Gitlab
Security
Hacking

--

--

Jacob Galam
Jacob Galam

Written by Jacob Galam

10 Followers
3 Following

Software Developer 👨‍💻

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams