@kamilhism discovered that it was possible to list the viewer’s comments on secret Gists with a scopeless OAuth token on our GraphQL API. The secret Gist corresponding to the comment would also be accessible through the gist field on the GistComment object. We addressed this vulnerability by restricting the field to only return comments on public Gists if it was requested with a scopeless OAuth token.