203 private links
Forks are copy of the original repository. As such, leaked credentials remains in the forks.
A deleted repository still has the commit from the original repository and it can access it. Demo on youtube
Example:
They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork
Also related to private repositories:
We demonstrate how organizations open-source new tools while maintaining private internal forks, and then show how someone could access commit data from the private internal version via the public one.
How to access the data? By direct access to the commit.
If you know the commit hash you can directly access data that is not intended for you.
AND
Commit hashes can be brute forced through GitHub’s UI, particularly because the git protocol permits the use of short SHA-1 values when referencing a commit.
because there are 65.536 minimal values, and 16.777.216 is a more realistic approach (6 characters per commit).
Also, "deleting a repository or fork does not mean your commit data is actually deleted."
The flaw also exists in other version control system products.