Ask HN: Developer abused “sign in with GitHub” and users are being punished
581 by 2Gkashmiri | 313 comments on Hacker News.
The offending website "nopecha.com", which unfortunately i found about a week ago on HN itself appeared to be another captcha service but one that was offering "1 Sec" solve speed for text captchas. i was interested and by the looks of it, a lot of people. their webisite only had "sign in with google" so i didnt bother. The day before i check the website out of boredom and saw "sign in with github". i logged in, clicked through a bunch of pages because its the same drill everytime. i found out that i had "automatically starred their repos". by the looks of it, around 500 "stars", the last i saw. suddenly i am unable to log in to my github and the page just says "account suspended." contacted their support and the last response i got from them was "your ban should stay as you engaged in improper behavior of stars farming" or some other BS. Here is my problem. I am not a part of nopecha. I just used their website once using "sign in with github" button. That is the extent of my involvement. How can github allow the developer to use "sign in with" button to create a situation that they could LATER consider abusive but then go ahead and ban all the victims also? i did not voluntarily want to join their abusive practice, i just wanted a log into the website. (There was no explicit mention of the stars farming practice on the website) Why is github allowing the developer to abuse their Oath in the first place? If this is going to be a norm going forward, i do not see any hope of "sign in with" buttons for any service because then you could be banned from one service and suddenly everything connected to your account is also banned. I honestly expect the "sign in with x" button to provide a frictionless access to a website, thats it. how could the developer abuse that process and the website, instead of acting on the developer alone, are causing trouble to unsuspecting victims? edit: to add a bit more context, here is the first reply i got from github on my support request "Your account has restrictions imposed because it appears to have been used for the purpose of artificially inflating the popularity of GitHub accounts or repositories. This activity isn't in keeping with our Terms of Service. We'll need to leave the restrictions in place." I knowingly or unknowingly accepted to allow the app to access my stars action or whatever. i did not engage in this practice myself, their automated system did. i even had "forkhub" android app and i did see "stars" and i remember unstarring 4/5 of their repos myself so its not like i did not try to undo their actions. the problem here is. 1. if github is allowing developers to include their permissions alongwith the SSO workflow 2. github is allowing apps write action to stars from the users accounts which can be legitimate or not. 3. user is not responsible for automated actions taken without their consent or even if consent was there, user is not aware of the "actual scope" meaning app could say "you allow us stars access" but not "you allow us stars access with the knowledge that such permission can be a banable offense, you are warned" 4. unless the user is a sockpuppet account created for the sole purpose (by checking age/activity of user), is it reasonable to throw the banhammer so quickly on everyone involved? 5. why did github not ban the original dev, stop the users from starring for a "cooling period" or "undid their stars" ? why was a ban necessary?