Github for Mac is a helpful app provided for free by the people at Github.com. It’s an Mac OS X GUI for simple operations with git, and works quite well.
It turns out that when I visit a repo on github.com with my browser and attempt to clone the repo, JavaScript in the browser attempts to communicate with a webserver on my computer installed by the GitHub app, called “github conduit.” If it cannot communicate, when I try to clone a repo by hitting “Clone in Desktop” on the GitHub webpage, I get served an ad for the app, rather than having the repo cloned. Here’s the access according to the network monitor in Chrome:
Request URL:https://ghconduit.com:25035/status
Request Headers
Provisional headers are shown
Origin:https://github.com
Referer:https://github.com/BoltsFramework/Bolts-Android
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36
X-DevTools-Emulate-Network-Conditions-Client-Id:00AF4013-DCE9-FF8D-32B2-9FA7D33BE9B5
I queried this with GitHub support, and they referred me to this support article. That says:
When you run GitHub for Mac, it automatically launches Conduit and tells Mac OS X to keep it alive. Thus, if Conduit crashes or you terminate it with Activity Monitor or kill, it will relaunch, even if GitHub for Mac is not running.
This surprised me. Having JavaScript in my browser talk to a local server of some sort, about which I know little, seems a possible security risk, especially since this wasn’t explained when I installed the GitHub app.
Is this reasonable? Should I be worried if my browser can talk to this server?
Best Answer
Yes, you should be worried about this. Any website can detect if you have GitHub for Mac installed by detecting if ghconduit.com loads or not. For example:
A malicious website could use this to track users or target ads to programmers, all cross-browser. Luckily, no company seems to be doing that.