@homakov discovered OAuth access tokens for Gist had excessive scope. We have addressed this issue by limiting Gist’s OAuth scope to only public profile information.

This vulnerability has received extra points due to its severity when combined with other reported vulnerabilities.