Hacking GitHub Contributions Calendar
One of my favorite GitHub features, right after the explore section, is the GitHub Contributions Calendar.
First, I really like to proudly look to my commits count or streak after a rollout season. When you spend a lot of time coding to end a project and you can barely rest, having at least a beautiful graph of your work is a pleasure. Second, and more important, it is a very useful tool to search for code changes, either in yours or in a colleague’s profile.
But, with great fanciness comes great responsibility.
As a matter of fact, the commits that are shown in your contributions calendar may have not been created by you. GitHub calculates these commits based on all the public projects it knows. This means that any person can create commits with you as an Author, push them to GitHub and they will appear in your GitHub contributions calendar. Of course, there are some prerequisites before they appear on your calendar, but fulfilling them may be as simple as adding you as a contributor of the project, or tricking you to star the project.
Changing the author of a commit is a simple as:
git commit — amend — author “New Author Name <email@address.com>”
But, can this be harmful?
GitHub profile is being used as one of the main tools to hire in the Tech Industry. This means that if you are looking for a job, recruiters may spend as much time looking at your profile as they are looking at your CV.
If somebody commits xenophobic or homophobic contents with you as an author, recruiters looking at your profile will probably skip you as a candidate. Since the concept of Author and Committer are kind of obscure, most recruiters will not notice that this is a prank.
Funny Hack Demo
I spent some time creating a demo and instructions to test this exploit.
In this application you make a drawing and it generates the shell commands to create the drawing in commits. Push it into a new repository, add a friend, and she will have a beautiful calendar filled with fake commits!
Projects Exploring the Contributions Calendar
I would love to say I am a genius and that I discovered all these concepts by myself. But i was heavily inspired by other projects which show this problem commits.
Want to be a rockstar C++ Programmer without learning it?
The Good Part of Author Masquerading
Believe it or not, author masquerading can be used as a work tool. Asked somebody for help, this person went to your computer and changed some code? Add this person as the author of the commit!