Skip to content

Instantly share code, notes, and snippets.

@will
Created December 3, 2012 22:44
Show Gist options
  • Save will/4198815 to your computer and use it in GitHub Desktop.
Save will/4198815 to your computer and use it in GitHub Desktop.
Gists and oAuth warning

Warning: Do not give third party apps the "create and edit gists" scope, if you have any private data in private gists.

me:

when I grant that privilege to a 3rd party app over oauth, not the web interface.

This dialog: http://f.cl.ly/items/3y1q1s2C2Z321y150F1B/Authorize%20access%20to%20your%20account.png

Create makes sense, they can create them on my behalf. But edit is much more ambiguous. Can that app edit the ones it creates itself? Or any gist I have? Or just the public ones?

github:

It can edit any Gist that you've created. We dont' track what individual Gists an application has modified, unfortunately.

me:

Does their app have to know the id of the gist to edit it?

If my private gists are still unguessable by them, that's good, and mostly what I'm concerned about. But I'm assuming they don't get a list of all of my gists.

That they could look up my public gists through at the very least screen scraping, then edit all of them is less good, but not the end of the world.

github:

They can list all of your Gists with the "gist" scope.

@saulshanabrook
Copy link

https://github.com/settings/applications for current application access

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment