gist icon indicating copy to clipboard operation
gist copied to clipboard

Published 20 hours ago verified publisher icon defunkt

Unanticipated privacy violation

Open cdosborn opened this issue 8 years ago • 4 comments

If you create a private gist, and don't login your gist gets posted anonymously to github. However, it's not private at all, anybody can view it.

From a user perspective, I anticipated that my login credentials were cached from my last use. Instead I was not logged in. I think it should be an error to post privately and w/o login.

cdosborn avatar Mar 17 '16 21:03 cdosborn

100% agree with this. I believe it should post the gist anonymously if and only if --anonymous flag is set.

ctrlrsf avatar Mar 31 '16 14:03 ctrlrsf

I filed this after unintentionally posting private content to a public anonymous gist. Fortunately, github quickly removed it (on two occasions now their support has been quick and helpful).

cdosborn avatar Mar 31 '16 17:03 cdosborn

What's the difference between an anonymous private gist and an anonymous public gist? As far as I know you can only see either if you know the URL (same as for an logged-in private gist).

ConradIrwin avatar Mar 31 '16 17:03 ConradIrwin

@cdosborn even if you'd been logged in, private gists are viewable by anyone who knows the URL, exactly the same as anonymous private gists.

akerl avatar Mar 31 '16 17:03 akerl