Ask HN: Developer abused “sign in with GitHub”?

860 points by 2Gkashmiri ↗ HN
The offending website "nopecha.com", which unfortunately i found about a week ago on HN itself appeared to be another captcha service but one that was offering "1 Sec" solve speed for text captchas. i was interested and by the looks of it, a lot of people. their webisite only had "sign in with google" so i didnt bother. The day before i check the website out of boredom and saw "sign in with github". i logged in, clicked through a bunch of pages because its the same drill everytime. i found out that i had "automatically starred their repos". by the looks of it, around 500 "stars", the last i saw.

suddenly i am unable to log in to my github and the page just says "account suspended."

contacted their support and the last response i got from them was "your ban should stay as you engaged in improper behavior of stars farming" or some other BS.

Here is my problem. I am not a part of nopecha. I just used their website once using "sign in with github" button. That is the extent of my involvement.

How can github allow the developer to use "sign in with" button to create a situation that they could LATER consider abusive but then go ahead and ban all the victims also?

i did not voluntarily want to join their abusive practice, i just wanted a log into the website. (There was no explicit mention of the stars farming practice on the website) Why is github allowing the developer to abuse their Oath in the first place?

If this is going to be a norm going forward, i do not see any hope of "sign in with" buttons for any service because then you could be banned from one service and suddenly everything connected to your account is also banned.

I honestly expect the "sign in with x" button to provide a frictionless access to a website, thats it. how could the developer abuse that process and the website, instead of acting on the developer alone, are causing trouble to unsuspecting victims?

edit: to add a bit more context, here is the first reply i got from github on my support request

"Your account has restrictions imposed because it appears to have been used for the purpose of artificially inflating the popularity of GitHub accounts or repositories.

This activity isn't in keeping with our Terms of Service.

We'll need to leave the restrictions in place."

I knowingly or unknowingly accepted to allow the app to access my stars action or whatever. i did not engage in this practice myself, their automated system did. i even had "forkhub" android app and i did see "stars" and i remember unstarring 4/5 of their repos myself so its not like i did not try to undo their actions.

the problem here is. 1. if github is allowing developers to include their permissions alongwith the SSO workflow 2. github is allowing apps write action to stars from the users accounts which can be legitimate or not. 3. user is not responsible for automated actions taken without their consent or even if consent was there, user is not aware of the "actual scope" meaning app could say "you allow us stars access" but not "you allow us stars access with the knowledge that such permission can be a banable offense, you are warned" 4. unless the user is a sockpuppet account created for the sole purpose (by checking age/activity of user), is it reasonable to throw the banhammer so quickly on everyone involved? 5. why did github not ban the original dev, stop the users from starring for a "cooling period" or "undid their stars" ? why was a ban necessary?

493 comments

[ 0.34 ms ] story [ 324 ms ] thread
I know this doesn’t help your current problem, but there should have been a list of permissions your were granting during the setup flow. Anything more than asking for your identity is the indicator that a site could cause you trouble, unfortunately.
agreed. 100%. in hindsight, but you know how you sign in to netlify or to some other website, the same thing happens, you are supposed to accept and there is no "continue without giving these permissions" so its an "either you continue or go back and dont use" thing..... i am saying, over 500 people fell for this and this is a good example of "permissions overload" and other such phenomenon. you just go through the flow because you expect everything is in order
> you are supposed to accept and there is no "continue without giving these permissions" so its an "either you continue or go back and dont use" thing

I can't remember the site that does/did this, but there was some site that wanted you to log in with OAuth2 through some identity provider and they initially ask for access to your contacts. If you click 'cancel', it sends you back through the OAuth2 flow but without the "read contacts" scope. Sketchy dark pattern BS.

Permission overload exist specially when you are allowing users to sign up to third party sites with your platform credentials.

Any platform that offer easy to use API, openID or integration service should be concious about what they consider to be a vulnerable and what can be easily exploited. The amount of meaningless authorization buttons we have to press is astounding and it should be considered by all platforms. This argument doesn't advocate for strict integration control and disabling their OpenID features.

Any system that chalks up massive amount hassle to people only due to "human error" is poorly designed.

The problem is GitHub's permission system is bad. I'm not sure if the problem is that legitimate apps are required to request way more permissions than they want to get the ones they need, or if the prompts themselves are basically crying wolf all the time ("act on my behalf"? That could mean literally anything, why are you showing me that at the bottom of a list of other permissions? Doesn't it imply all the rest?).

So the only way to use them is to either deny most legitimate apps because of scary permissions, or learn to click past the prompts to get your work done. If people do the latter due to a bad system then GitHub is not blameless here. They need to fix their system.

Many of these permission grant UIs are bad. It should always be possible to grant some permissions and not others, and optionally, if a website does not receive a permission it should be able to send fake data in a well-formed API response response to fool it into thinking it actually got the permission.
> if a website does not receive a permission it should be able to send fake data in a well-formed API response

That's what you do when you're user centric. But it's also actively hostile to developers. What you should do is preserve a balance:

- let developer know permissions have been refused (no need to go chasing fake data)

- tell users to report apps that simply stop working without a given permission. It should be a separate "report button" that is on the same page as the "give permission" UI.

But this means you'll need people to review those reports properly, otherwise there is no balance. And that is why it's never done like this.

The right thing is to generate fake data, but also provide an API to check whether the data is fake or not. That way apps don't have to test every permutation of granted/not granted permissions to ensure they don't break, but apps that really care can still explicitly check to see if they got the permissions they wanted.
This opens the door to unscrupulous apps that deny you access if you are using fake data, in the name of tracking you.

Also, an app is merely a suggestion of what to run on a CPU. What actually runs, and what data is provided, is my decision, since it is my hardware.

> let developer know permissions have been refused

I don't think developers ever have a right to know permissions have been refused. People should have a fundamental right to lie about their location to private businesses, to protect their privacy.

Essentially how GitHub works is, when you sign in with the app, the app requires knowledge and data from the user. For example a simple GitHub integration telling you how many stars your repos have, they may need read access.

When you're asked to sign in, it will show you, this application can:

1. Read and manage your stars 2. Read and manage your repositories.

Be very careful when granting applications access because they can misuse it like this. GitHub integrations should be verified for editing repos and editing stars of the user, but that's just my opinion.

if stars farming is wrong, why should "1. Read and manage your stars 2. Read and manage your repositories." an application get these accesses in the first place?
I think the star farming is inside the 2nd permission, read and manage your repositories.

Applications such as Heroku in which you can host an application through GitHub require to read, access and edit the files in your repository. After all starring is just an action.

agreed. I am just saying, if someone can abuse stars action and be banned for it, what "legitimate" usecase is there in the first place otherwise?

So if this action was allowed by github, how is that a banable offense if someone gets overzealous with it?

I don't think it is bannable. I feel like explicit permissions should be verified by GitHub, so that they know that the use case is called for.
An app that manages your stars and repos in some manner can be completely legitimately. Imagine perhaps an app that shows you some concise, curated list of what you frequently use but haven't starred and gives you the option to star them. Or imagine an alternative GitHub UI that just generally replaced all of the features of the default UI, including starring and unstarring.

Most apps don't need that permission, which is why it's called out as an explicit special permission that apps need to ask for, which in this case it probably did. If you find a good way to make sure that nobody's going to just mindlessly click through a big list of permissions, I'd love to hear it because it's a real problem. But not letting apps do those things at all is a really heavy-handed solution.

read is okay, write allows these abuses, no?
Well for example say it's a SublimeText plugin that you use for code editing, browsing repos, etc. And one of the options that you have from the control panel thing (ctrl+shift+P) is "star current repo." That would be a perfectly legitimate use of the API to apply stars, because you're deliberately taking this action yourself, it's not an app doing it maliciously.

However, say that developer took advantage of the fact that the permission seemed reasonable to automatically make you star their app for that Sublime extension upon install. That would be malicious and unethical.

So there's a difference, but the permission isn't inherently sinister.

>However, say that developer took advantage of the fact that the permission seemed reasonable to automatically make you star their app for that Sublime extension upon install. That would be malicious and unethical.

that is what i am saying. whether i read the permissions or not, (i did not though) whether i gave them the permission or not, did i actually go and manually contributed to their stars farming operation or not? if i did, then i would be guilty, if not, well blame the developer, not the user who was tricked into allowing their app to do this maliciously

I guess the logic is "you are responsible for vetting who you give permissions to" but yeah this seems a bit extreme, I would not punish the users in this case either.
tomorrow github will ban sublime text because the dev allowed a malicious user to become a contributor and they changed the code to inflate their profile/repo. suddenly you are banned because you did not deny the permission to sublimetext ?
Because if it's not being malicious it might want to let the user star things in a non-farming way.

Is that not obvious? It's not a "farm stars" permission.

"Read and manage" does not at all sound like read-only access. Is that not supported by GitHub?
Reading is supported, but writing permissions can also eb provided. Heroku is one great example of this, if you want to host your application on Heroku then you will need to grant read and write permissions.

In that case, Heroku may add files such as Procfile, etc.

The required scope for stars is 'public_repo' and the UI for that does not mention stars at all. Unless you click the dropout all you see is 'Repositories - Public repositories', which does not sound dangerous at all (although yeah, that shouldn't be needed for login).

Clicking dropout shows that permission is r/w not just r/o, but does not mention stars either.

1. If those permissions aren't reasonable to ever grant, then they shouldn't be available.

2. A user has no way of controlling which permissions are abused.

If you get scammed, you get scammed, but the response from GH here isn't warranted. They're adding damage on top of whatever the user already got themselves into with allowing the malicious developer access.

It is trivial to determine whether an action was taken via a direct user interaction (using an access token granted by GH.com, by clicking a thing on their website) vs a 3rd party (who presumably had to go through a sign up to even use "Sign in with GH" and has a dedicated application ID). Instead, GH is attributing the actions of a 3rd party to the user, which isn't appropriate. They're essentially accusing the malicious developers' victims of being "in on it".

There could be cause for legal action against Github over this, since one could not reasonably expect that using Github's own "Sign in with Github" could allow the site you are logging into to automatically cause actions on your behalf that would result in your account being banned. Contact a lawyer.

Another possible legal angle is that by providing these powers to websites with little or no oversight and "people wil just gloss over it" UX, they are facilitating the very star farming they are banning over.

damn. i am one. haha. waiting for their support to respond to my "response". i would be sending them a strongly worded legal letter if they don't let up but yeah, around 500 people are suffering and i want to talk about them en masse
It probably wasn’t actually a standard “sign in with GitHub”, minimal SSO flow, it was likely an OAuth2 authorization code flow, where OP granted them explicit access to do things like star repos. Like, the button on the nopecha site may have said “sign in with GitHub”, but it actually kicked off and authorization code flow with GitHub, where you’re granting nopecha access to do GH things on your behalf. And OP just didn’t read things carefully enough, clicked through without looking.

This is a dead giveaway:

> i logged in, clicked through a bunch of pages because its the same drill everytime

For SSO, “login with GitHub” type flows, there’s no “clicking through a bunch of pages” post sign-in - you aren’t granting them access to your GH account, you’re just letting GH tell the site “yup, this is person X”. What OP describes sounds like explicitly granting a 3rd party access to your GitHub account, and OP was just being sloppy - I’d strongly bet the pages said things like “do you want to grant nopecha access to star repos on your behalf”, and OP clicked “yes”. If there’s any lesson here, it’s to read things more carefully, and not just freely give out access to your accounts to sketchy websites.

no i did not because when i click on “sign in with GitHub” flow, that is the only thing i expect to happen. whatever the dev added to the workflow is what i assumed to be needed for the login to happen
That’s kinda your own fault. You could have known they were going to be able to star repos on your behalf if you’d read carefully.

What is strange is that you are banned for an action someone else took. That doesn’t make any sense.

As I said, it’s a lesson to read more carefully. If you’re granting a sketchy website broad access to your accounts without even reading what you’re granting, bad things are guaranteed to happen.

Also, seems like you’re probably a developer? If so, SSO, OAuth2, OIDC, etc. are worth learning about. You seem to be confusing/conflating SSO and OAuth2 authorization code flows, when they’re reasonably different things.

GitHub could not control what lies other websites tell. They can have a button saying “Sign in with GitHub”but totally not signing in with GitHub.

That said GitHub should have banned that website for lying and abusing instead of OP.

This proves the point that these third party "Sign in with" buttons are really dangerous.

It makes a possibly dodgy website look more secure and legit by using a well known provider like Github for the login process.

In addition, it potentially exposes data from that well known provider, which is often sensitive data, as in the case of Github.

When I double click on free_cookies.exe which I got from totallyawesomenotavirus.com I expect my computer to start giving me chocolate chip cookies.

Or maybe I shouldn't just take everything at face value and pay attention to what I'm doing.

And how has that worked out for the last 40 years.
I've always had at least one confirmation page where it stated what data would be shared with the 3rd party and what kind of access they get to my account.
True, there’s often a “GitHub will have access to your email address” type confirmation in SSO flows, as that’s basically what SSO is (it’s GH telling a 3rd party “yup this is bob@example.com, feel free to log them into your site as bob@example.com”).

However, what you won’t see in a standard SSO flow is anything along the lines of “GitHub will be able to star repositories on your behalf.” If you’re seeing those kind of messages, you aren’t doing a minimal SSO flow (just having GH vouch for your identity), you’re granting access to a 3rd party to do things with your GH account.

I was with you until the last two sentences.

I'll honestly never get that point of view: it's an evolutionary disadvantage to not fall for these kinds of attacks. Our intelligence is largely predicated on how easily we can pattern match and filter out "excess" information.

So OP being bombarded with a list of harmless permissions along with one deceptively dangerous one (deceptive because they wouldn't expect to lead to being pwn'd anyways, since it's stars) and granting is not being sloppy, it's being an intelligent person.

Github is large enough to have UX experts who know this stuff, and at the very least if stars are grounds for being banned, they should be grouping it with dangerous permissions and using more confirmations.

And even better... they should just rate limit starring! How often is someone going to star 500 of someone's repos legitimately that rate limiting would ruin everyone's day?

FWIW, I agree GH shouldn’t have banned OP. But … I’m pretty sure they weren’t giving out access to control OP’s account through a standard SSO flow, as OP assumed. Massively more likely, OP just didn’t pay attention, and granted said access explicitly during an OAuth2 authorization code flow.
My entire point is that they did explicitly grant the permissions and that if you see a dialog like this: https://i.stack.imgur.com/Iol8j.png

And you're ready to hand over even the first 3 items there, you're not likely to assume or even notice that github stars about to get you knocked out of orbit.

I know this is a place of hubris but it almost comes across as a strange lack of self-awareness that this many people actually think they'd have caught that.

> ..is not being sloppy, it's being an intelligent person.

No, that is being an intelligent ape reacting to a twitching bush by running up a tree on the chance that a predator is behind the bush. The tables have turned since then. Back then the analytical ape would have gotten eaten and not passed his genes on, but there is no longer a biological imperative to mindlessly react to things.

And now I want to listen to Running up that Tree, by Ape Bush
You got me, I thought for a moment that I accidentally channeled Weird Al instead of Pearl Jam's Do the Evolution.
That's... not how evolution works at all? I almost want to think this is satire.

Modern humanity hasn't existed for an eye blink compared to the everything that led up til now, so there's two kinds of people:

- People who understand we all have these blind spots and understand account for them

- People who don't even realize how often they run into these blind spot.

You're much better off learning to be the former, but I'm sure it feels good to proclaim from on high how you're just sloppy for not checking every dialog you come across...

That is exactly how evolution works. Now if you wanted to argue that evolutionary pressure no longer applied due to modern medicine and safety regulations... you'd still be wrong, but at least you'd look less silly. So there's two kinds of people:

- People who've heard about about the marshmallow impulse control study + the effects that medieval-plagues/cousin-marriage has had on the human gene pool

- People who say silly things like "Modern humanity hasn't existed for an eye blink compared to.."

You're much better off reading a long term study on the life trajectories of people who had their impulse control quantified as children - spoiler: they do not do well in the modern world relative to everyone else enjoying a reduced probability of incarceration.

There's an incentive to ignore the trivial BS that other humans relentlessly waste your time with. Reading EULAs and watching ads are not the path to success. People are trained to ignore information constantly.

Intelligent apes surrounded by wiggling bushes stop paying attention to wiggling bushes and get munched on by a predator eventually, no?

> Reading EULAs and watching ads are not the path to success.

Agreed, but unlike a login prompt, those things are there for the benefit of others - not you. To continue the analogy: blowing through a login (or changing traffic signal, regardless of color) is like an ape exposing his belly to any silhouette vaguely shaped like a trusted member of the troop.

> ..stop paying attention to wiggling bushes..

Dunno, he could also have a breakdown - lab rats are known to practically lay down and die when you suddenly reverse the role of external stimuli in a system of punishment and reward. But I don't see how that fits here, the user isn't being plagued by nonsensical login prompts constantly springing into existence.

My point was just that whatever mental heuristics we use to decide whether information is worth parsing or not are built up over our lives. As with all such approximating things, there is trade-off between false positives and false negatives. The large amount of junk information one encounters in modernity could lead to aggressively-tuned heuristics, resulting in more false positives relative to negatives, effectively sending useful information to a mental spam folder.
Giving a website access to star repos through the API for my convenience is not anything I should be banned over though.
That I do agree with.
from github's pov you starred the repos. You signed up for a service the stars repos. it could have been starallthereposforme.com and you signing up a granting them permission to star repos is exactly what you wanted. So girhub is correctly assuming you wanted those repos starred.

If you didn't want them starred you shouldn't have given the site permission to star

GitHub should be able to tell that this was an abusive service doing it though.

Legally they might be in the right, but punishing victims of social engineering further doesn't seem like a fair or smart business decision.

yep, it is easy for them to know if the star was the user itselft OR a third party app through the API...
But an 'abusive service' might still involve misconduct by the user in question.

Suppose there is a service which allows you to watch free porn videos as long as you hand over permissions to star a bunch of repos using your account. Clearly, the service is abusive and should be banned. But isn't it also quite fair for Github to penalize the users? They knew they were handing over something of value when they authorized the access. Either they chose to exchange their genuine 'Github clout' for something they wanted, or their accounts are spammy in the first place (for example, if they created an account solely to access that service).

What you give the site access to is something like ‘Full-repository access’, the permissions aren’t granular enough to specify starring.
If you gave the owners of some website permission to star repos on your behalf, then you are trusting them; you are still the one responsible for your endorsements. Whether endorsing the wrong repo ought to ban worthy is definitely up for debate. But the question of whether you endorsed manually or delegated it seems unrelated.
Why have repo-starring API if you don't want users starring repos via API?
You will have to find someone who’s suggested that they don’t want users starting repos via API to ask them that. I’ve instead suggested that repos started via clicking and API should be treated the same way.
How far does this extend though? Should people not be banned for granting access to any app, and doesn't the screen where you grant access present some kind of disclaimer or warning?
> Giving a website access to star repos through the API for my convenience is not anything I should be banned over though.

Sorry, hard disagree. You have responsibility, here. We all do. Be extremely wary of what privileges you are giving away, and do not hesitate to forgo sign-in when the privileges are unreasonable.

Why would anyone click "yes" to a random site that wants control over their Github starring privileges without a clear explanation as to what they will be using it for?

We can excuse the naïve, but this is a tech-related site. If you don't know, now you know.

Exactly.

We keep asking that users must be asked for explicit permissions and granular scopes are for the good and then users themselves skip reading on these permission grants.

Github has always (in my experience) been clear about what permissions are being granted to the site you're signing into, and if you don't agree, you can easily cancel the sign-on flow.

It's not clear at all. The scope UI says 'Repositories - Public repositories'. It does not sound dangerous and only reveals that the access is r/w (not r/o) after expanding the dropout. It does not mention stars at all.

An example requesting the 'public_repo' scope (the client_id is a random one from the internet): https://github.com/login/oauth/authorize?client_id=33a703d01...

Sounds like the basis for an argument for refining the scopes such that it is abundantly clear which scopes write data and which ones do not.

No one should be surprised that allowing an untrusted program to write files and permissions through an operating system could lead to a security exploit.

Many would likely be cognizant of the risk of becoming a member of a botnet.

Allowing untrusted programs to control your digital services is not fundamentally different, in my current perspective.

Of course. When you grant someone read/white you expect that they may delete all your repositories for shits and giggles.

What I would not expect is Github banning me in some misplaced form of victim blaming.

Truly though, wouldn’t you expect that your IP might be banned if your computer was compromised by a ddos botnet?

Your GitHub user account was compromised by a bad actor, so it shouldn’t be surprising nor considered victim blaming.

Of course, GitHub might cross the line to being unreasonable if they become aware of this as a potential security issue and fail to mitigate the phishing risks that they are exposing their customers to.

edit: restoring your user account to good standing, if absolutely necessary, is certainly something to strive for, but be aware that it can take years or never, from anecdotes that I’ve heard about Google, Apple, Twitter, etc. Microsoft/GitHub/LinkedIn won’t likely be any different, in that regard

> Your GitHub user account was compromised by a bad actor, so it shouldn’t be surprising nor considered victim blaming.

But GitHub sees where did the request to create the stars come from. The requests all came with authentication tokens associated with the given malicious site. They have all the data to see how the account got “compromised”, and they also can see that the account owner is unlikely to have knowingly participated in the “star farming”.[1]

The obvious and correct solution is to delete all stars created through tokens associated with the malicious site[2], disable access for the malicious site and write a letter to the compromised users.

1: further absurdity is that by deciding that the stars were farmed Github already made the decision that they are not comming organically from users. Because if they were comming organically from the users then it wouldn’t be star farming, just a popular repo. So why are they punishing the users then?

2: one more absurdity is that stars don’t cost github anything. It is just a number in a DB. It is not like they incurred a cost due to this attack. Github decided that they care about some stupid stars, and make the farming of them a bannable offense.

If you lend someone your wallet so they can buy milk, and they go on a buying spree with your credit card, that’s still a crime.

You can blame the person handing out the wallet for being naive, but ultimately the bad actor is the other.

Yes, we should be careful, thanks a lot for this hindsight, but giving developers the ability to request for a permission and banning users who click it by accident or doubt is kind of a dick move. Why not remove the permisson and ban the developer instead? To teach people a lesson? Would you like a leash and a whip with that?
I believe that the individual responsible for these bans should be transferred as punishment: working on the weird photo editor in PowerPoint, or the msvc++ compiler.
The issue here is that the OP did not abuse anything, tried to correct the mistake once discovered and was 'still' the one being punished for someone else's shady practice.
Presumably the OP would also have been aware that they were giving this third-party app the ability to rewrite the code on any of their public repos.

I automatically decline the moment I see any app trying to authorize with that scope.

Nonetheless, perhaps this is pointing to Microsoft’s Window’s UAC moment for GitHub.

Bright yellow or red UX with warnings that if you click “agree” then you might as well have given away your computer to a malicious actor.

I think it’s because from GitHub’s standpoint, OP looks just like a bad actor who took $5 to allow someone to use their account to Star 500 repos, and says the same things.

GitHub is taking the “ban them all and let God sort ‘em out” approach to figuring out if OP is telling the truth.

You realize that the oauth token is tied to the client app, right? Not only can GitHub see that this action was taken by/through a third party service, they can also see all actions taken by that service across all users. So there are much better ways to detect and correct the abuse.
All oauth tokens are authorized by users. So GitHub sees the app and sees the users who authorized the app. Users are responsible for all the bots that act in their names.

Otherwise it would be quite simple to write a malbot and then claim innocence because it was the bot doing it, not me.

I think the approach to automation is best when the authority and responsibility always ties back to an individual or group.

Not really necessary to curse at someone, even if you strongly disagree, my guy. You've been around HN long enough to know better.
> You've been around HN long enough to know better.

I’m sorry which rule covers that?

It's the very first guideline regarding comments:

"Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community. Edit out swipes."

If falls pretty squarely under these guidelines:

>Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community. Edit out swipes.

>Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

>When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."

https://news.ycombinator.com/newsguidelines.html

For what it's worth - this is the same colloquial language I would use with close coworkers when discussing topics.

None of the cursing is directed at the person, but the topic under discussion. At no point have I cursed at him, or even been snarky to him. I have used emphatic language outside of a formal setting.

Personally - the existence of a curse word alone is not enough to invalidate an argument.

And in this case - it reflects my true opinion on the topic: It's bullshit to blame the user here, when the tech exists precisely to allow more accurate determinations of cause. It literally exists to prevent EXACTLY the sort of grey area the commenter above me seems to take for granted. I absolutely should be able to allow an oauth app to interact with a service and not be held accountable for malicious actions of that app if the actions are the result of abuse by the app and not my intent.

Otherwise why fucking bother with the rigmarole of the oauth app registration in the first place? Just hand the user a personal access token and let them plug it in where ever they'd like if you're going to ban them anyways...

What would the 'completely valid and compelling reason' be in this case? I can't think of one.
I'd like to login to a 3rd party site to determine that their DOM structure hasn't changed - because I develop an extension that interacts with it.

It's great when you can get a test account for this, but often companies will simply tell you "create a throw away account and test there" (ex: google does this).

That's not malicious - I'm well within my terms of service - I'm not doing anything with the service other than ensuring that behavior that is not contractually guaranteed still works (because unlike an API, most sites change their DOM often and with no warning).

It's not something I can fake with self-hosted content or mocks, because my version won't change when their DOM does.

---

I've investigated captcha solutions for this exact reason. Not to mention ways to automate 2fa. I understand the overlap with malicious intent here, but just because there is overlap does not imply that OP was malicious.

>without a clear explanation as to what they will be using it for?

No one lies on the internet? Those Nigerian princes are very clear what they are going to do with the money you send them, but it doesn't make it true. Providing 3rd party access to an account should come with over sight abilities.

Asking "What if this other thing that didn't happen, but could happen, happened?" and then using that to excuse reckless behavior.

I'm going by what the guy wrote. He "clicked through a bunch of pages". If you "click through a bunch of pages" and get scammed, you suffer consequences. Play stupid games, win stupid prizes.

The whole story is suss, tho.

Getting your account hijacked and engaged in suspicious behaviour is cause for Github to suspend the account. You're not free from blame when you let your account be abused, at best you might be able to ask Github to help get control over your account back.
Except GitHub allowed the abusive service to integrate in the first place, and knows every request it created...
if i go with your argument, "what wrong did i commit" if i allowed an application a legitimate action of managing stars? how did i know beforehand the app was going to abuse this very action because there are other commenters saying that stars manage action is a legitimate, non-sinister action in itself so where was i sloppy?
I agree you should not have been banned - I think GH was wrong there. You got taken advantage of, you weren’t being malicious.

However, getting banned is pretty minor compared to the other bad things that can happen if you grant sketchy websites access to your accounts without reading what you’re granting.

I'm sorry you lost access to your github account, but let's be fair. This is not a legitimate application for managing your stars, this is a page that was committing fraud and probably requested access to your account in exchange for committing further fraud on your behalf. You were already logged in. Why did you log in again with github? Because it asked you to, and promised you more rewards if you did?
> Why did you log in again with github?

Sorry I'm somone else but I'd just go and assume it was because they are human, not a terminator, and their eyes do not have an integrated HUD talking with GitHub's backend with status indicators showing each currently authenticated account??? You want this kind of correctness you have to write software in Rust or something. "You're holding it wrong" lol

It's a bog-standard oauth2 authentication flow. I'm positive GitHub showed OP the list of permissions that this sketchy third-party app was requesting, and OP granted those permissions.

Yes, you are supposed to read the dialogs. OP really got got, and that sucks. But it's literally why that permissions checklist step - that they ignored - exists.

And they're a bog-standard human. Very buggy, get all kinds of tired and sleepy and drunk and high. I don't have the patience to be terrorized with some dumb ass permission lists when I want to access something. My brain is there to process the experience of eating tasty food and making children with an another human or whatever, I'm not an API. Just ask yourself if the UI would confuse your demented grandmother, if it would then it's shit and I hate it. oauth, shmoauth, who cares?

If the same happens to me I'm positive I'm /punching the screen, locating whoever set that bullshit up and taking a dump into their physical mailbox./

> And they're a bog-standard human. Very buggy, get all kinds of tired and sleepy and drunk and high. I don't have the patience to be terrorized with some dumb ass permission lists when I want to access something.

None of those things are an excuse. The dialog is there as a gateway to protect your data and GitHub's platform from the third party. If you're not going to review a clear dialog describing the permissions, then there is nothing that GitHub can do, other than decide that you cannot be trusted with this responsibility.

Also, drunk and high? You chose to be in those states. If you can't make the decision correctly in whatever state you currently are, then shouldn't be making decisions in that state. Take some responsibility for yourself.

All of those things are an excuse. The dialog is dumb and annoying. And excuse me but who are you exactly to tell what I can be trusted with? What responsibility? I'm not responsible for shit, it's a dumb website with bad UI and if I close my eyes then it disappears, that's how irrelevant it is to my life.

I don't really believe you "choose to be in states", what an absurd way to think about the behavior of hairless apes. Sorry but I will continue having the illusion of making decisions in whatever state I please. What now?

Maybe have some kids or smoke a joint because you're going to end up in a looney bin with this kind of expectations towards your fellow idiot humans

> Maybe have some kids Got those. I teach them responsibility for their actions.

> smoke a joint Done that. Didn't use it as an excuse.

> What now? Consequences don't care about your defiance. Nor should GitHub or whatever party has to deal with you.

Normal people make mistakes. Decent people care about limiting the damage to others. Assholes blame everybody else and deny all responsibility.

That doesn’t mean the inverse is true though: “if someone else is to blame you’re an asshole.”
Many things are untrue. Including "if someone else can be blamed, I am blameless".

But that's getting a bit off track. I responded to the attitude where someone should not be expected to read a simple and clear dialog because they were a hairless ape that could be drunk.

> someone should not be expected to read a simple and clear dialog because they were a hairless ape that could be drunk

FINALLY you said something reasonable :-D I'm sorry for being an idiot, I wanted to give a different perspective, I guess I'm passionate about nice and human UI. What happened to OP is what I call a Huge Dick Move. I will defend them to the grave because I like to cut people a big big piece of slack. Because yeah they could be drunk, or just tired, which is cool, you know.

What's not cool at all though is so called "engineers" ebgineering shit like OP described which makes me ashamed of my profession everytime I watch my grandpa painstakingly wade through crap like this all the time.

I will cope, I'm a dev, many people will not and there goes their UX. Straight to trash \o/

I don't want to get absolved of my responsibilities or whatever, I want UI that doesn't suck dick and ideally doesn't star 500 repos by itself

>You were already logged in. Why did you log in again with github? Because it asked you to, and promised you more rewards if you did?

when was i already logged in? there was only 1 action of "sign in with github". thats it

> probably wasn’t actually a standard “sign in with GitHub”, minimal SSO flow, it was likely an OAuth2 authorization code flow

This is accurate, but oauth2 is the standard sign in with GitHub. oauth is literally designed as an authorisation mechanism to allow people to do things on your behalf, the ability to authorise access was later repurposed into an authentication mechanism.

Now I haven't gone through this process with github, but for other pages where I have gone through it, the issuer doesn't just hand out scopes like candy.

It's not enough that the user gives an app permission to act on my behalf, the issuer (in this case github) also has to give the app permission to ask for these scopes in the first place.

Github definitively messed up in giving the nopecha app permission to ask users for permission to star on their behalf.

If stars are important enough for them to ban users over, they should be very careful about letting third party apps request this scope from their users.

For context, in order to star projects on user's behalf you'd need to request public_repos scope[1], so the UI will look like this: https://github.com/login/oauth/authorize?client_id=33a703d01... (I used a random client_id from google search). As you can notice, the UI does not mention stars at all.

[1] public_repo: Limits access to public repositories. That includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories. (https://docs.github.com/en/developers/apps/building-oauth-ap...)

That [1] is how "ask only for e-mail", "proper" "just" SSO looks like.

While sure it isn't immediately expected to access "stars" feature when you give public repo access...

...you're giving it fucking repo access. That's WAY more (on a "how bad it can be if you get hacked") permissions than just starring.

Wow, this is really bad. The words "read and write" are hidden unless you click on the arrow next to "Repositories".

I'm surprised this hasn't been used for malicious purposes until now.

> That includes read/write access to code [on public repos owned by the user]

What the hell, imagine logging-in with your account, you as a maintainer of a large public repo, and failing to understand clearly that you are giving a 3rd party the possibility of commiting on your behalf.

Seriously there should be a big red warning on all scopes apart from the "none" one.

I believe github doens't even have a scope that gives read access but not write access. So we users have been trained to just grant that scope to people who really only need read access, because it's the only thing that works. And in general trained not to even pay attention to those scopes anymore -- on github specifically -- because they are such a mess, and third-parties routinely need scope overreach to do what they want.

So I do think github is broken here in a way that predictably leads to problems like above. They need better more granular scopes (and have for years; I don't understand why with their resources they haven't prioritized it), and then they need a better UI for making sure the user understands what they are granting, differentiating between read vs write, etc.

Without that... it's only a matter of time until something much worse happens, like someone abuses a scope to insert malware in someone else's repo. I would not be surprised if it's happened already but hasn't been publicly known.

BUT, also... you sign up for a service that will for-pay get around captchas for you so you can automate access to a site where the captchas are intended to prevent automated access, and then you're just shocked that this service would do something unethical...

> the issuer doesn't just hand out scopes like candy

GitHub isn’t doing the handing out, it is the user doing the handing out.

I don’t blame the user, as a rule, but in this type of scenario, the user (a consumer of development tools) shouldn’t be excused, in my opinion.

This would be like a doctor complaining for getting sued for malpractice by a patient of a nurse under the doctor, while the doctor neglected to review the patient chart and neglected to take the time to speak with the nurse.

caveat emptor

All that said, I would hope that bad actors that get caught, effectively phishing for GitHub credentials, using a technique like this end up being banned from GitHub.

As I said, before the app even can ask for a scope, github has to give that app permission to ask for a scope.

I have written some integrations against altinn, the Norwegian government's portal for basically anything official. Getting approval for a scope there is a process, as well it should be. If I write an app that lets users send construction applications to the local municipality on the user's behalf, do you think I can just sneak in a request for permission to change the user's address, name and bank account registrations as well? No. There are scopes for that (I assume), but my app won't get to request them, no matter how much the user would be willing to give them.

And "caveat emptor" is not the threat model you can get away with on the web. Sure, it would be great for me as a dev if I could just disavow responsibility for cross site scripting attacks and other attempts to misuse the user's credentials. But I'm a user too, and it would NOT be fun as a user.

Github is not the Norwegian government though. Github is not a gateway to public bureaucracy or to public services. It provides repository hosting, project management, and integration with build tools and similar services. Fostering a wide ecosystem is a core part of their business strategy, and as such applications are only validated superficially. Also, it operates at a scale that makes such validation infeasible.

Furthermore, the audience of Github is decidedly more technical than a government website or social media platforms. IMHO it can be expected that its users step through authentication flows a bit more carefully.

Github should act more decisive when applications turn out to be malicious though. The Laissez-faire policy of frictionless integration of applications has to be balanced with effective procedures to react to malicious uses.

> Also, it operates at a scale that makes such validation infeasible.

It's a choice to be at such scale that github cannot validate 3rd party auth. Gothub should accept fault for these incidents if they are not going to validate their partners.

It's the exact same as third party sellers shipping counterfeits on Amazon. Choosing to achieve massive scale leaves quality, validation, and consumer protection behind.

GitHub is Microsoft. And as a provider of developer tools, weird to see such apologism for their inability to structure oauth scopes correctly and provide effective unambiguous UX for user consent.

Let alone banning the user instead of the client app...

> And "caveat emptor" is not the threat model you can get away with on the web.

Caveat emptor is not a threat model, it is a risk mitigation.

It is arguably the only mitigation directly in the hands of the consumer.

And that the modern phrase is from a 2000+ year old “dead language” should certainly speak to the longevity, utility, and effectiveness of that mitigation.

> it would be great for me as a dev if I could just disavow responsibility for cross site scripting attacks and other attempts to misuse the user's credentials

thankfully there are standards and RFC’s that indicate best practices that recommend that these security risks be considered and mitigated

edit: see Rich Authorization Requests <https://www.ietf.org/archive/id/draft-ietf-oauth-rar-18.html> for the “work in progress”

When you run a service on the web, it's not enough to protect yourself. You must protect your users to the best of your ability. Threats against your users must be part of your threat model.

If not, you won't keep them. They will leave. And saying "caveat emptor" will be about as effective at preventing that as saying "wingardium leviosa".

> When you run a service on the web, it's not enough to protect yourself

Nothing but agreement there.

Can you identify a specific recommendation by the IETF or W3C that was ignored, in this case?

> And saying "caveat emptor" will be about as effective at preventing that as saying "wingardium leviosa".

I had to look up that apparent reference to Harry Potter, but I disagree.

Educating your users about phishing risks, aka “caveat emptor” in this context, is explicitly a best practice for mitigating these kinds of security risks on the open web.

Did you see how apparently inoffensive the permission granting sign in is? It looks very similar to a standard login. It would be very easy for anyone, regardless of knowledge, to blow right by that. The lack of distinctive labeling as not a standard sign in operation is really irresponsible on the part of GitHub here.
API scopes could totally use some mandatory standards. You can't make a digital ocean token to simply edit DNS without full delete-all-your-VM's & charge thousands access.

Similarly we shouldn't bill for service accounts, especially when they're documented as the way to limit API token access. It's self-defeatist like taxing longer passwords.

Finetuned permissions cost to implement. GitHub doesn't have them (maybe we wouldn't have seen this post if it had).

Therefore if you want them, pay up or do it yourself.

> Finetuned permissions cost to implement. GitHub doesn't have them (maybe we wouldn't have seen this post if it had).

They exist for github apps, and they're being rolled out for PATs alongside forced expiration: https://github.blog/2022-10-18-introducing-fine-grained-pers...

Not sure there's any way for them to happen for oauth apps though. And even if they do, they're opt-in for the app and the old broad scope will remain. At best the broad scopes would only be accessible to old apps grandfathered in but that ain't much (there's probably a billion abandoned oauth applications you could purchase for that grandfathering).

That's not a practical suggestion, since GitHub isn't self-hosted or open-source.
Fine, put that behind my $x/mo account + service accounts.

$x/mo * Service accounts is dumb.

Well, it is PITA to implement so I'm not surprised really...
No this is standard procedure. You have to register the permissions you are going to request to github. But github is not going to inspect your app and checks that they are indeed required.

Github's responsibility is to ask consent to the user and display all the requested permissions. If the user accepts then Github has done its work.

This is how all oidc providers work.

It is not how Oauth2 needs to work, or should work. OIDC is (or should be) about the user's identity only. It's for third partiets to know who you are, not for third parties to act on your behalf.

If the screen to give a 3rd party permission to identify you, looks like the screen to give a 3rd party sweeping permission to act on your behalf, that's github's responsibility and problem.

It would also be a good reason for responsible 3rd parties to ditch github for identity, if they don't address it.

(Another matter is that the big public OIDC providers' eagerness to let you use them might be a lot about tracking.)

OAuth is definitely about scope.

See the latest draft for OAuth Rich Authorization Requests (“work in progress”): https://www.ietf.org/archive/id/draft-ietf-oauth-rar-18.html

edit: you might be mixing up / conflating Open Authorization (an authorization standard - authorization scopes are in scope) with Open Identity (an authentication standard - authorization scopes are out of scope)

edit 2: It probably doesn’t help disambiguate which auth is which when the same company is providing both the authentication service and the authorization service.

Why is everyone linking this draft? It's got very little to do with what we're discussing.

Yes, of course OAuth is about scopes! But OIDC is a protocol built on top of OAuth2 which is for identity only. You get no permission to act on the user's behalf from the OICD scopes, only read access to information you need to identify them.

This whole problem only happened because

1. Github is an OIDC provider, allowing you to identify yourself to websites around the world.

2. Github ALSO uses OAuth2 to delegate permissions to the user's stuff on their own site.

3. The one looks too much like the other. OP probably thought he was just showing ID, but what he was doing was giving the site sweeping permission to act on his behalf, which the site promptly misused.

The problem here starts already at 2. That anyone can create an integration and ask for OICD scopes, is one thing, but why do they make it so easy to hand out their own scopes? There are not that many third party apps that have a legitimate need to act on the user's behalf. Maybe some continuous integration stuff? But even that should only have access to the user's own repositories. Nothing I can think of has a legitimate need to go around starring random repositories.

> That anyone can create an integration and ask for OICD scopes, is one thing, but why do they make it so easy to hand out their own scopes?

That was probably one of the advantages of shoe-horning authentication (OpenID) with the existing authorization standard (OAuth).

> Why is everyone linking this draft? It's got very little to do with what we're discussing.

> … Github ALSO uses OAuth2 to delegate permissions to the user's stuff on their own site

> … But even that should only have access to the user’s own repositories.

Seems like Rich Authorization Requests are exactly what we are discussing.

Give it a skim (or a read).

You don't need RARs to limit access. It's just a proposal to standardize very fine-grained control access.

This is not very fine-grained. It would be perfectly possible to gate access to social features of github (such as starring) behind a plain old scope. Distinguishing "access to all your own repositories" from "access to anything else on github, as you" also is not a fine-grained difference.

Sure, but the extra “location” and “action” objects within the proposed “authorization_details” JSON object do seem compelling when compared to just a single “scope” string.
Speaking of shoehorning things, it doesn't look particularly "Open" to me that website owners are free to pick a limited number of authenticating authorities, instead of letting the user to pick their own.

(Imagine if e-mail adresses were considered "invalid" in forms if not from Gmail or Outlook !)

It was especially bad with last years Advent of Code, where going through OpenID (or was it OAuth ?) was the ONLY way to join, and with only 3 options listed, none of which I wanted to use !

It is interesting though, most people use it just to avoid creating a new username/password on a random site. Usually there is no intention to grant access to any data maintained on the IDP's site. I know the concept of granting such access is the whole point of OAuth but honestly seems like a rarely needed use case.
The website (oauth client) has to tell the IdP (oauth provider) what level of access they want to have on the user's behalf. OIDC is an extension of oauth that focuses on the basic identity aspects. (It basically just standardizes the user info and how to ask for it).

So an app could request only the non-data-access OIDC scope, or an IdP could enforce that it only allows apps the OIDC info.

On top of that is the user consent. What has been pointed out in threads here is that the IdPs are making the UX for basic OIDC consent too similar to the UX for consenting to privileged data access.

And of course if an oauth token is being abused, the IdP should ban the client app first, not the user...

Yes, I know how it works. My assertion is it really should not work this way by default. Providing identity (i.e. email address) to a random website is much different from providing them with access to sensitive data (often subtly shown in the signup dialog).

It is good to take a step back from the tech and think about it from the user's perspective.

(comment deleted)
OIDC is build on top of OAuth and OAuth is all about scopes and authorizations. You can split the two but OIDC is designed to request id info and access authorization in the same transaction.
> This is how all oidc providers work.

No. When an app is registered with them, a provider does check if the scopes requested have a reasonable business purpose. Many registration forms even ask you to explain why you need the scopes requested. This is similar to how Apple App store does review.

Many OAuth providers also check periodically if one of their registered apps is used for any pattern of abuse.

Furthermore, a client can omit scope and leave it up to the server to decide whether to fall back to a default scope or fail the oauth request.
This patently false. Google for example requires an oauth app registration and approval process. It's one of their annoying faceless processes that developers must go through, but exists for good reason.
If stars are so important that any program that can auto-check stars is inherently fraudulent, then why allow any official third party API the ability to click on stars? Shouldn't that always be something you explicitly have to click?
Github does not separate starring. It falls under the public_repo scope, which is one of the fundamental scopes. Source: https://docs.github.com/en/developers/apps/building-oauth-ap...

"public_repo Limits access to public repositories. That includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories."

Maybe, just maybe, if companies like GitHub would read the fucking RFC’s for “OAuth is not for authentication” they’d get somewhere.

We at least/even have OIDC for that now.

Not really. Your GitHub account doesn't belong to you: it belongs to Microsoft. They let you use it as long as it pleases them, but it's their database and their servers and they don't have any obligation to continue to do so.

Use Gitea instead. It's great and doesn't add eyeballs to this giant corporate SPOF. It even has a feature to push everything in your repo to a remote (eg GitHub) as a mirror automatically. (Or set up a repo as an automatically pulled mirror for the inverse.)

Using gitea doesn't work if you are doing things for some existing repo in github, esp. if it's non-git related such as reviewing PR, issues, etc.
If you put .patch on the end of any GitHub commit URL you get a diff format patch and it usually has the committer's email the top. You can then email them your diff.

It's not perfect and it's not social/collaborative but it gets the job done in the absence of a mailing list.

(comment deleted)
Laws are different in the world. I'm pretty sure in Germany the account would have to be restored.
In Europe the account is not yours but the attached/coupled data (from email to code), since your are banned you also cant delete it, that is a legal problem...at least in europe.
I find this an interesting question - if you have a private repo with code in it and you get banned in this way can you export that repo? There could be situations arising where you don't have your code anymore because of the banning and that would probably be actionable.
i do have public and private repos that i would love to get the data from but all the links are dead as of now
well then I would consider it might be worth talking to a lawyer, you have placed work into these repos, github no longer wants your business cool enough,

They don't have to provide you the service, that is totally their right - but it seems unlikely they would be allowed to keep your intellectual property at the point of service cancellation, especially given the reason for cancellation. They should provide a way to download the repos you want to keep for a reasonable time frame, if for example they send you an email

We no longer want your business, please get your stuff by this date or it will be deleted.

Then that would be one thing, but if they're saying

We no longer want your business, and you can never have your stuff back because that is our policy.

That's opening up a can of worms that their lawyers probably don't want opened either.

on edit: Were any of these repos paid for - then they really better solve it, even so they evidently derive benefit as a business for offering free repos so they should still provide a way to get your repo on service cancellation.

Finally they argue that reusing your code in training things like CoPilot is fair use - have your public repos been used in such a way and if so they are continuing to derive business benefit from your code while not allowing you access to it. Even bigger can of worms.

Considering the rather unfair cancellation (and basically any situation that relies on arguing you should have been more careful or you wouldn't have been taken advantage of is unfair) I think they should reach out, give you your code and say Good-day, sir (or madam, no offense meant).

But even if you were the person doing the starring of repos they would be in an iffy place to keep your intellectual property and not have a limited time, get your stuff back solution (which for all I know they have, I've never researched the matter)

cool. i will be mentioning that in my "strongly worded letter" as i wrote in another comment
Before you send that letter, talk to a lawyer. They have an army of lawyers. If you consider the account and its contents valuable, you should hire a professional who knows how to get the best results. DIY legal work is foolhardy.
GDPR "data access request" ought to get them to give you a copy.
if they're in EU, if in EU there are a bunch of other things that might be considered problematic legally with this behavior of github's so...
I've not seen any cited legal argument that says they can't ban you under their TOS?
No, but it doesn’t matter how “banned” your are according to the service, they still have to provide all your private data upon request.
Hopefully OP can recover any lost work(Or simply get unbanned), but I will venture a guess that buried in GH's TOS is something that amounts to "You agree to these rules, and if you violate them and get banned that is on you" and they can point at this/these clause/s and say, "Hey, OP broke the rules and that's that"
They should require you to log into Github and use the full Github UI for any app permissions beyond saying knowing which github account it is.

I.e. the flow is

1. Auth by Github

2. App says "thanks, now please log into your github account and grant the following permissions, X, Y Z"

3. User logs into github.com, goes to account page and grants whatever they fell is necessary

4. App now has permissions.

There is no legal action you can take.

If you give random websites access to your account that is 110% on you. This just goes to show that people have extremely poor login practices. You need to actually read what popups say before accepting/authorizing.

Also if I understood correctly this was some scammy captcha bypass thing anyway so OP was doing shady shit anyway.

> ... OP was doing shady shit anyway.

Curiosity and analysis should never be considered "shady." Proximity to "shadiness" doesn't make one "shady."

You stopped off an a random Dairy Queen on a roadtrip, got our M&M Blizzard, and attmepted to go along your merry way. But the local cops have stopped you because "obviously" you were doing shady shit by stopping into the DQ that's "known" to deal in nefarious things.

No, probably not. Here's the thing, GitHub integrations always ask the user whether they authorize the integration, they provide the list of permissions that the integration is asking for.

It's not GitHub's fault if the user doesn't read the permissions and authorizes the application.

Yeah but it is GitHub's fault for banning the user instead of the abusive application. You realize the oauth token is connected to the client_id, right?
> Contact a lawyer

Unless you have a couple million dollars burning a hole in your pocket and 5-10 years you'd like to spend in court, good luck suing Microsoft. The US Justice Dept couldn't even get a meaningful result in their antitrust case. The courts exist to protect these multinationals, not for you.

What laws are they breaking? Can't GitHub ban you without a reason? What about HN? Are they not allowed to ban whoever they see fit? Seems scary that I could face a lawsuit if I ban someone I think is obnoxious on my forum.
It wouldn't be a matter of laws being broken. It would be a matter of contract violation of some sort.
So of you don't have anything you sign on account creation you're safe? E.g. Hacker News is just name/password.
> There could be cause for legal action against Github over this

I'm sure there isn't. No one has any inherent right to a GitHub account, and their ToS allows them to ban you for pretty much any reason.

I don't quite get why you're talking about "legal angles"; there's nothing here related to the legal system. Yes, it's stupid that GH makes it so easy to give full access of your account to other entities. Yes, it's stupid that they're going to then ban you for what those entities do with that access. But GitHub has no legal or contractual obligation to not ban user accounts for stupid reasons.

I all but stopped signing in with SSO because I don't want to give out my GH e-mail address. Every service gets its own alias so when I get spam, I know who leaked it.
Good luck.

For others, let this serve as another lesson to never sign in somewhere with any account if you can help it.

This week there's also this other person that says there are soft locked into Google because they signed in with Google to many places.

Go to the trouble of creating a regular account. It's less trouble in the end. (here it was not possible, but of course, it looks like it was a scam, so maybe it's a red flag anyway)

There is no way to create a regular account on Travis. It's only sign in with GitHub and a few others that they added recently.

https://app.travis-ci.com/signin

I understand why they are doing it, because they have to pull from GitHub, but it's not the only way. They could create a regular user on GitHub and ask people to let that user pull from their repositories. Obviously it's more trouble for the user, it would harm adoption and growth, that user could be banned and halt all of Travis.

Travis is the only site I have ever used in that way, because I have a customer that uses it. With hindsight I think that I should create a per customer account on GitHub, just in case something bad happens to Travis.

> With hindsight I think that I should create a per customer account on GitHub, just in case something bad happens to Travis.

Is it too late to do that?

My immediate line of thinking to this thread of "sometimes you have to use an account to sign in" was that then you'll need to create a new account specifically to sign into that service. If you have to sign into that service. Maybe I'm weird, but I tend to even use a DuckDuckGo e-mail when I sign up, so that a specific service is in no way linked directly to me and so that I can stop forwarding e-mails from any specific service.

To be fair, I sort of wonder why Github has an API that allows 3rd parties to star projects with your account. I get that the author of this post on HN is responsible for not reading the "clicked through pages" part of the processes and that they should consider themselves sort of lucky it was only abused for star farming, but why do we have that sort of "facebooky" functionality on Github in the first place?

A lot of the APIs that allow for things like starring projects have been around for a long time. Before GitHub introduced an official mobile app there were a number of unofficial mobile apps that used those types of APIs to give users a “fully functional” GitHub app.

I would say though that if GitHub is allowing requests like that through the API then they should be banning the API token and the account it was issued to if it uses the API maliciously

I believe it goes against the ToS for Microsoft GitHub to have more than one account per human.
https://docs.github.com/en/site-policy/github-terms/github-t...

> One person or legal entity may maintain no more than one free Account

This means that for nearly all of us it is one account per person.

The rules are more relaxed for corporations

https://docs.github.com/en/site-policy/github-terms/github-c...

> A User’s login may not be shared by multiple people.

and that's it.

So there could be joe@company1.com, joe@company2.com, etc. Probably only the joe in his current company can login because the others have revoked its access.

You can't always avoid it.

I had an incident only a week ago where I had to sign up to Snyk and the only way to do so was to use a third party sign in -- no option to create a new account using email.

The end results was me signing in using a Google account tied to the client, resulting in an immediate account disabled message from Google. It took a week to get the account re-opened, but left a bad taste in my mouth. If a billion dollar company can't be bothered to create their own sign in, what can we do?

I was so pissed off at the time that I wanted to open a support ticket with Snyk and vent, but of course, couldn't find any way to do that on their website.

Maybe a way to handle this kind of situation would be to create a dedicated Google account?

(I haven't encountered the situation myself, didn't try it)

Google is known to link accounts by ip address, name similarity, phone numbers, emails, etc. There are for example stories of companies with their Google Cloud disabled because former employee using their personal account pushed app Google didn't like to Play Store.
And anyway you need a phone number for each account now. What a PITA, by design of course.
The best way to fix the problem is not to sign up to such companies and complain instead. If you can't find a feedback form, perhaps they are not interested in feedback? In that case there's always twitter.
just heard of snyk and googled

> Snyk is a Boston-based cybersecurity company specializing in cloud computing...

how is it secure [or wise] to require you to share an external login?

that's infuriating

> You can't always avoid it.

I've managed to. It does mean that some services are unavailable to me, but that's life.

I came across the same realization after disconnecting from twitter. I am signed into multiple places using twitter. Even though I have deactivated my account, I have to reactivate every time to login on a site like disqus.

FB, Twit, Goog, need to separate oauth login from the rest of their service.

Anyone know how to list which sites I used my twitter login on?
Don't know about twitter, but most providers have some sort of "Applications" tab in the user settings that lists every site you gave an oauth grant to.
You say the morally correct thing, but being a Managed Identity Provider is gonna cost loads of money and they really have no business incentive to do this, in fact it may be negative for some of their KPIs like the no. of sign ups they have on their site.

The best course of action would have been for you to de-couple your Identity Provider from your account completely, I have done that over a course of a few months. I have de-coupled myself from Google Sign in on my most frequented sites, using Email + a Password manager + 2FA wherever its supported. though I have also have even used Apple's sign in for some apps

Can you trigger the reset password flow on disqus, etc? That’s what I’ve done on a few sites to disconnect from 3rd party oauth and use email instead.
I reactivated to disconnect disqus. But twitter does not share email address with sites so i could not do forgot password. That is why it was my preferred login technique.
Tailscale only allows you to create a new account by signing in with Google, Microsoft or GitHub. It's a real shame because it's a great service otherwise, but this left a very sour taste.
Head scale FTW? I mea n you need to self host it and deal with all that... But it is your network...
I don't use services that force me to give up privacy like that. A VPN service no less? That's almost funny.
Tailscale is a real VPN, not a privacy proxy using VPN tech. VPNs have nothing to do with privacy, this is no worse than any other service doing it.
Virtual Private Networks are all about privacy. They aren't necessarily about anonymity though.
Private != privacy. Private corporate networks do not guarantee privacy either.
They do guarantee privacy from the outside world. They don't necessarily guarantee anonymity or privacy within the network.
No they don’t. VPNs allow _access_ to a set of subnets that might not be accessible otherwise - normally from external to private. Even though usually vpn traffic is encrypted it’s not a rule or an inherent property of VPNs - see GRE and PPTP for example.
The term "VPN service" has become synonymous with "proxy service that allows circumventing region locks that is implemented using VPN". These services are often pretty scammy and have come in the news often for harvesting user data.

These VPN services have little to do with the traditional meaning of a VPN. They don't provide a private network at all, they just use VPN tech to implement a proxy service.

Tailscale is not a "VPN service" in that sense, they actually provide software for setting up a VPN between computers you control.

Yes, that's what my comment is about: Tailscale is about privacy from the outside world for your network, not the privacy and anonymity VPN proxy services claim to provide.
(comment deleted)
Something being private and having privacy mean very different things in practice. I can stand in the middle of a field that is my private land, but have no privacy from people on the adjacent road looking at what I'm doing or listening to what I'm saying.
> VPNs have nothing to do with privacy

Don't feed the trolls.

Yep. Single reason we don’t use them anymore. Great service, but we don’t have corporate MS, GitHub or Google accounts.
Any alternatives you can recommend?
I’m a big fan of Nebula (Slacks project maintained by Defined Networking)
If you want anonymity, why not just create new Google/Microsoft/GitHub accounts? How is that different from creating a new "Tailscale account" - presumably with what, your existing gmail address?
You can add your own external provider. I'm using them with Okta at the moment.
It does look like they support SAML and OIDC. I think the idea here is that many (most?) Tailscale users will be corporations, and most corporations would rather integrate Tailscale access with their existing auth system, and not have an extra employee account to deal with that needs to be disabled when the employee leaves the company.

That does make things harder for small shops where things are more ad-hoc, or an individual hobbyist who wants to use it. But not sure how much of Tailscale's market consists of people like that, or if Tailscale even cares that much about that segment. No judgment if they don't; that's a perfectly reasonable decision to make.

> For others, let this serve as another lesson to never sign in somewhere with any account if you can help it.

+1 to this. I got locked out of my StackOverflow account because they stopped supporting my auth provider, I think a couple of years ago.

Not sure if you care any more after a couple of years, but https://meta.stackoverflow.com/q/309839

This question is about a Facebook account that was deleted but it should apply to OpenID providers that go away too. The mods' comments seem to indicate that the "Contact Us" link gets you through to a human that may be able to help as well.

Or do not do

> i logged in, clicked through a bunch of pages because its the same drill everytime

GitHub is clearly listing list of permissions, and yes - I check it before accepting log in and in some cases have not granted permission because scope was overly large.

It seems like GitHub gave them the boot as well: https://github.com/NopeCHA/NopeCHA

Is it possible you got caught by some automated system that tries to prevent sockpuppet accounts from inflating stars?

https://nopecha.com/

nope. Google login is still present on the website...

What are you “nope”ing exactly?

The comment you are responding to states one thing (Github banned NopeCHA) and asks an other. (If the ban was done by an automated system)

Which one of these two are you saying “nope” to? And what does google login has anything to do with these?

sorry. i read that as google. i know...... sorry
No worries. That explains it. Thank you for the explanation. :)
They were dumb to expect they would get away with it.
I wish SSO providers allowed users to individually decline requested scopes when logging in.

It would be a PITA for developers, but if it was the norm, you wouldn't think about it twice.

The minimum scope should be a random identifier that's unique to the service provider you are logging in to.

I think we'll get there eventually, like how on iphone/android you can deny individual "scopes" these days. It took a long time and there were some growing pains, but now I have little worry about some sketchy app slurping all my photos from my phone.
You can't?

Why on earth would anyone use SSO? Are we that lazy?

Some do, some don't. That said, I haven't said a option to reject scopes on any of the big oauth providers
The world works by automating things. When was the last time you washed all your clothes by hand?
Hardly an apt comparison.
Platforms can implement that and some already have, e.g. Facebook’s auth works like this.

That being said, this approach requires monitoring and enforcement; otherwise nothing prevents the developer from not allowing the user to proceed without granting some specific permissions. Facebook again seems relatively strict here, at least post- Cambridge Analytica.

As a developer, I know exactly how I'd solve this.

The callback page would tell you that you screwed up, give you a link to try again, and not let you authenticate until you offer the proper scope.

I can't imagine anyone else doing much different than that outside of special cases.

yeah, the granted scopes are part of the id tokens, so they're visible from the requesting application. They could theoretically be hidden by encrypting the bearer_token itself (thats part of the standard already, though few seem to actually do it atm) and omitting them in the id_token, but omitting it would to my knowledge be in violation of the standard

the scope mechanic would have to be reworked altogether if this feature has any chance of actually achieving the desired effect, so a scope can only be granted for n-minutes or something. But that would make a lot of good use-cases borderline impossible (i.e. the previously mentioned alternative frontends for popular pages).

Its really hard without revamping the oidc standard altogether, but thats unlikely to happen as well. Good authentication/authorization is just super hard and continues to be unsolved, especially if untrusted entities are involved.

Tf illegitimate use do you have for solving captchas automatically? Play with abusive software you deal with the consequences.
You can be a legitimate user who wants to (legally, according to SCOTUS) scrape a site.

Or is it better to farm the manual labor out to Amazon Mechanical Turk / Filipinas / etc?

Maybe OP was just having a look, out of curiosity.

But I agree on your last sentence, like when a porn site invites you to sign in with your Google account. That feels like a way to get compromised somehow.

The same legitimate use you have for blocking ads: they're annoying.
I downloaded it just to see. Disabled it the same day because I didn't really understand if it was working. I never signed in with GitHub though...

I also forgot about it until this post. Thanks for saving me a potential headache OP. Just uninstalled it

What use would one have for using a robot to quickly and automatically solve a challenge that’s supposed to tell you are human and not a robot yet takes a human longer than a robot?

Well, probably sidestepping this utter idiocy.

https://github.com/dessant/buster/

buster is a technically legal software designed to show how easy it is to bypass google recaptcha.... if this continues to work, why not a third party SAAS that allows the same thing via an api?

Captchas are extremely annoying, and a pox on the web.
Shady software does shady stuff. Very surprising.
> Shady software

As in Github and Micro$hit along with them

> i logged in, clicked through a bunch of pages because its the same drill everytime.

Nah, the list of permissions you were granting were right there. This is on you.

I'm a big critic of MS and Github is just-another-acquisition to them to monetize users. To that end, the permission to allow a third party to engage in bannable behavior, using someone else's account, is promoting bad actors. MS has lots of experience with this and it will likely be addressed (prohibited outright) in the future. Too late for some.
Any site you grant this permission to could abuse it. The abuse is on the abuser, not the person granting permissions. Allowing the abusive behavior to happen at all - authorized or not - is on Github.
You can't put all the blame on the user, when GitHub makes the page where you just log in to a third party and where you grant them permissions look so similar.
for anyone wondering, the following is the exact text of the first response to my claim i got from github,

"Your account has restrictions imposed because it appears to have been used for the purpose of artificially inflating the popularity of GitHub accounts or repositories.".

so i ask again, if "manage stars" is a legitimate action that is not a problematic one in itself, how would i know, beforehand that going in to "sign in with github", that i would be giving the app stars access and that they were going to use to artificially inflate popularity of their repo? and that was a banable offense?

You didn't and Github should not have banned you. Wheras it is correct that you "could have avoided this by not granting unnecessary permissions" to the site which it then abused in your behalf, it is not your responsibility to ensure the site uses it's access credentials in a non ToS variolating way. This whole comment section is classic victim shaming. GitHub should be responsible to ensure all sites they grant oauth integration do follow the rules. If not, individual accounts should not have to live with the consequences of that.

Google learned this too, that's why it is very hard to get access to certain oauth scopes. Making the product nearly impossible to use except for anything then identity. But that's how it is.

how about this. https://nopecha.com/ their website still has "sign in with google". how about someone uses a throwaway account and does the login workflow and see what happens? i dont have one so someone can see if they are doing some shady stuff there as well
Google is known to associate accounts used from the same place (ip, device) and bulk ban them so that's not safe.
"Sign in with X" buttons all suck anyway. Why lose access to just one account when you can lose access to dozens? Use a password manager.
And more importantly: sites shouldn't require an account for things that don't require an account. I don't want to make an account just to read free content, download free software, or buy something.

Accounts are only necessary if I actually have to maintain content on the site, or specific permissions are tied to my account.

Agreed wholeheartedly. It has been a long time since I've run into a site that doesn't have an "or sign up with your email address" option, but whenever I do, I just decide not to bother. I don't really want any of my accounts tied to each other if I can help it.
If you use gmail, is "Sign in with Google" tying accounts together any more than "or sign up with your email address"? Don't they both mean you're relying on your google account/gmail address existing?
I use my own email domain.

I do wonder if it would be useful to use my Auth0 personal account for this type of thing on sites that support it instead of using email login. I think a dedicated identity provider might be less risky in terms of random account freezing. Google, Microsoft and Github probably have a zillion ways (valid and invalid, accidental or not) you can violate TOS because they all own platforms for publishing content. A dedicated identity provider might be safer in that regard.

Mostly agreed, but I like to use them in cases when I'm fairly convinced that I'm using the service as a one-time thing to throw away anyway.

What makes me unhappy are the services that don't support non-oauth accounts at all, e.g. ProductHunt.

Uh?

You have one account with stronger sec. Like 2fa instead of 10 random accounts without 2fa cuz you dont want to give ya phone number to untrusted ppl

And the day the "master" account gets suspended or compromised you lose access to 10 other accounts. No thanks.
With a password manager, keeping track of 10 passwords is barely any more effort than one user account. Same thing is true for 2fa secrets.
Use authenticator apps or things like yubikeys for 2fa, using your phone number is not a security benefit but an exploit waiting to happen at this point.
2FA isn't the end all be all if it can lock me out by losing a device or an arbitrary number I dont actually own (e.g. sms 2fa)
Literally impossible on the given website. It only supports "Sign in with Google" (now). I won't be testing it out for exactly that reason.
I just realized that GitHub accounts can be suspended!

Important reminder to maintain a backup of any data stored on your online accounts.

It's another reason your programming community should lock into a platform as well. I know certain languages where this user would no longer be able to participate and publish packages anymore.
> you could be banned from one service and suddenly everything connected to your account is also banned.

That has been the main criticism of pervasive SSO since the beginning. It's even worse with Google. At least with github it seems to have ben an actual human telling you to fuck off!

It is incredibly easy to click past some OAuth prompt only to find out later your account has been used to do some shady stuff. In the early to mid 2010s it was a rampant issue on Twitter. Always double check what you are allowing some app to do with your stuff.
What i take from this is that your personal actions on GitHub and the actions of a bot doing API calls are indistinguishable in their logs, otherwise it would be obvious that those stars have a caller that is not you.
That's the first thing I thought. They should be able to see which actions were taken by the app and undo them when cleaning up the abuse. No need to ban accounts.
If you want people to use your authentication then you can not start banning accounts depending on which sites they authenticated against. What's next? "that political site was not in our view"?

If the offending site is causing issues they should just delete that oauth key and prevent the site from using "sign-in with github". How hard is that?

GitHub asks users to type in the name of a project when deleting it. It seems they should ask users to type something in order to grant a third party access to a project. As someone who is working on a project that will require write access to repos, I support it.
Whoa, I'm very surprised at the amount of "told you so" and blaming the user in this thread. How many times are we going to retread the same tired arguments in this industry? Not everyone who uses github and other SSO sources is a elite hacker that knows exactly what the buttons they're pressing mean, plus sometimes we just make dumb mistakes. At the very least github should make it much higher friction to give a third party access to fuck with your account, and only make it dead simple to act as a identity provider.
You don't have to be an Elite Hacker to read a permissions list and be informed about what you're consenting to.
Everyone over reaches on permissions though. It's practically industry standard to ask for a whole bunch of permission you don't need. Such that the likes of Google have multi-year efforts to crack down on it and reduce the ability to do it (in say Android).

It's also a matter of UX. Github (or anyone with social login) should be clear about what your granting. "Do you trust this website? They will be able star repos on your behalf"

> "Do you trust this website? They will be able star repos on your behalf"

... "and if they do this too often, it's your account that will be punished" (in big bold red text and with a 15 second delay before the authorize button is enabled).

because every time this happened, I will always think, great, now company gonna waste another resource for the benefit of the stupid, careless, lowests common denominator, and absolutely no benefit whatsoever (or worse) to people with common sense.
Bad actors exist everywhere and manage to get even distinguished security people at times.

What you're doing is victim blaming. The phishing/scamming equivalent of shouldn't have been walking down an abandoned street at 1am in the morning.

Is it really a waste of time for Github to target the site instead of the users?

If anything, Github already wasted time by targeted the user into a victim, rather than the original source of the API call.

I didnt say that. Dont put word in my mouth.

Punish the site. But dont bother wasting anymore resources to protect the stupids. Its their own action, let them be accountable for their own choice.

This. Also the whole situation reminds me the early days of Facebook, when people abused your account with posts to the wall and so on.
I once signed up for Runtastic with my Google account. It then wanted access to my personal data which I denied. After that I kept getting marketing emails from them. The only way to unsubscribe was to delete my account. I tried to delete my account but their workflow required me to authorise them to read my Google data. I still didn’t want them to have access. I tried contacting support, their office, via social media. Nothing. No response. The lesson learned for me, never ever use SSO again.
Sign in with Apple gives the service a spoofed e-mail address it creates (you can choose to use your real one instead).

Trouble is that if you need to migrate from Apple, then there's no way to recover the account.

On the flip side things like Etsy digital download purchases then don't get delivered and the cause a support headache for sellers.
In this case Apple redirects the mail to you, but you can stop it anytime and then the other party can no longer reach you.

For sure, there's a lot of support headache related to OAuth in general.

This is an issue with anyone who has your email, not really SSO. Those emails would be illegal in Canada, the business has 10 days to stop sending them after you contact them requesting to unsubscribe.
Yeah Australia as well, a bunch of big companies got in trouble a few years back after emailing after unsubscribe from the ACCC. Multi-million fines.

I like that the ACCC has teeth. Keeps Australian companies on their toes.

Pull the GDPR card.

The right to be forgotten and make them delete all your data ( including backups ).

( No, they don't need to know whether you are a citizen within EU or not )

I actually did try that! No reply from the Austrian authorities. No reply from any email at Runtastic.
Probably a stupid question: Why can the user grant permission to third-party apps to star repos? What is the legitimate usage of this API?
Their API lets you do almost anything you can do on github. Its whole point is to allow people to write apps that do all the things you'd on github.

So, want to write a full front end for github? Do it. It's likely the github mobile app uses this API to provide every service it provides.

Open issues, create repos, add comments, create gists, create releases, star repos, etc...

https://docs.github.com/en/rest?apiVersion=2022-11-28

All that said, I have ranted about github's permissions

https://games.greggman.com/game/github-permission-problem/

I'm guessing to allow people to make github browser apps, like the official desktop app.
It is a common problem for identity providers and their users that they do not have a strict definition of claims aside from a generic read/write.

Otherwise the user would get a giant prompt upon first use about which claims are needed to proceed. If that takes hold, people will just click away the message and third party logon would be as vulnerable to phishing than conventional logins.

Otherwise it is nice to have an API that almost can do anything. I think this is the strategy of GitHub, to provide a service beyond the user login and also serve as infrastructure.

GitHub usually asks the user to provide permissions explicitly. When you go through the OAuth flow, GitHub will show what permissions the app require and you have to provide them explicitly.

This is an unfortunate event and I hope GitHub will lift the ban from the ones affected and enforce ban on the people misusing this. But always check what permissions you are giving.