Developer abused “sign in with GitHub”?

I partially blame github for having very un-granular permissions -- a sign in with github ought to be possible without granting the site any permissions to do anything at all on behalf of your account, other than verify your identity via OAuth.

But I have no idea if that really is possible, and we have gotten used to granting sites permissions to github, specifically, beyond what they really need, because github often doesn't make it possible to give them what they really need. So we've been trained to be like, sure, whatever, okay, grant permissions.

(I used to complain to third-party sites when they were asking for more github permissions via oauth than they needed, and even say I woudln't use their service becuase of it. The answer was invariably "Sorry, github won't let us get the permissions we need without this overreach", and the times I had the energy to investigate, it looked like they were right! And we're talking really basic things, like read-only to a single private repo without write to all private repos in all organizations!)

However, on top of all that... this site is offering to automate solving captchas for you? Is there any non-sketchy use for this? I guess I am not too shocked that a site offering to take your money to help you bulk trick your way past captchas is... doing something else unethical too?

While providing third-party login services as way to sign-up had some benefits, omitting the "Sign-Up with email" option downgrades the experience dramatically. And, you know what? Providing only third-party sign-up options with "unnecessary" privileges ruins the entire experience.

A few weeks ago, I wanted to sign-up for a Product Hunt account, and in just a few seconds, my experience.. you know.. "downgraded" because there was no other way to sign-up other than through third-party services. After hesitating for some time, I forced myself to try to sign-up with my Twitter account. I clicked the Twitter icon, and it took me to Twitter, where I got these "cute/honest" permissions requested by the app I'm willing to authorize:

1. See Tweets from your timeline (including protected Tweets) as well as your Lists and collections.

2. See your Twitter profile information and account settings.

3. See accounts you follow, mute, and block.

4. Follow and unfollow accounts for you.

5. Update your profile and account settings.

6. Post and delete Tweets for you, and engage with Tweets posted by others (Like, un-Like, or reply to a 8. Tweet, Retweet, etc.) for you.

7. Create, manage, and delete Lists and collections for you.

8. Mute, block, and report accounts for you.

9. See your email address.

Oh man! 4 and 5 and specially, 6 are my all-time favorites. Are all these permissions really needed to be able to create a PH account with my Twitter? I mean, cmon.. this is not supposed to be an alternative front-end app for Twitter like "Apollo", "RiF" and "Relay" are for Reddit, this is just a website where people post their e-products once they launched, simple, huh!

I cancelled this process, and I still haven't created a PH account yet, but hearing OP screaming with this scary submission today makes me think again 'n' again.. maybe forever.. to proceed down this path.

Good luck.

For others, let this serve as another lesson to never sign in somewhere with any account if you can help it.

This week there's also this other person that says there are soft locked into Google because they signed in with Google to many places.

Go to the trouble of creating a regular account. It's less trouble in the end. (here it was not possible, but of course, it looks like it was a scam, so maybe it's a red flag anyway)

Whoa, I'm very surprised at the amount of "told you so" and blaming the user in this thread. How many times are we going to retread the same tired arguments in this industry? Not everyone who uses github and other SSO sources is a elite hacker that knows exactly what the buttons they're pressing mean, plus sometimes we just make dumb mistakes. At the very least github should make it much higher friction to give a third party access to fuck with your account, and only make it dead simple to act as a identity provider.

I'm going with, no, GitHub shouldn't have banned your account. Disproportionate response.

They've bundled several different functionalities together in a GitHub account, but the core functionality is to publish public git repos, or access private ones. Account banning for abuse should relate to you not being trusted to do those actions, not the secondary actions. If you published deceptive malware repos masquerading as other projects, sure, ban the hell out of you. If you use your private repos as the nexus of a botnet, likewise.

"Use your stars to participate in GitHub popularity contests" is, like, a tertiary functionality of your GitHub account at best. If you can't be trusted with that, it should be separable from the rest of your account. Set a flag on your account that prevents your star from contributing to votes. Hell, give me a config option that lets me turn off my stars counting.

Banning your account wholesale is overkill and unreasonable.

I know this doesn’t help your current problem, but there should have been a list of permissions your were granting during the setup flow. Anything more than asking for your identity is the indicator that a site could cause you trouble, unfortunately.

I wish SSO providers allowed users to individually decline requested scopes when logging in.

It would be a PITA for developers, but if it was the norm, you wouldn't think about it twice.

The minimum scope should be a random identifier that's unique to the service provider you are logging in to.

Well, there are two options here.

Either Github authorization, that by default asks only to use email [1] (I clicked some random GH sso using site, the one mentioned in post above doesn't have GH auth at the moment) have a bug and also gives starring rights.

Or OP is having prompt-induced illiteracy syndrome which caused them to not read and just click accept till "the thing worked"

* [1]https://imgur.com/a/VTFc2FD

...I give it 30/70. Kinda heard the second version from my users way too often

There could be cause for legal action against Github over this, since one could not reasonably expect that using Github's own "Sign in with Github" could allow the site you are logging into to automatically cause actions on your behalf that would result in your account being banned. Contact a lawyer.

Another possible legal angle is that by providing these powers to websites with little or no oversight and "people wil just gloss over it" UX, they are facilitating the very star farming they are banning over.

The amount of victim blaming here is over the top, even for HN. What I am really surprised about is the sheer number of people that are happy, or even gleeful, that this happened to this developer.

I've noticed a decline in the mood(?) on HN, but this is down to a whole new level.

"Sign in with X" buttons all suck anyway. Why lose access to just one account when you can lose access to dozens? Use a password manager.

If you want people to use your authentication then you can not start banning accounts depending on which sites they authenticated against. What's next? "that political site was not in our view"?

If the offending site is causing issues they should just delete that oauth key and prevent the site from using "sign-in with github". How hard is that?

> you could be banned from one service and suddenly everything connected to your account is also banned.

That has been the main criticism of pervasive SSO since the beginning. It's even worse with Google. At least with github it seems to have ben an actual human telling you to fuck off!

Just avoid using the "sign-in with" buttons ever. They are evil. Sooner or later you find out a reason or another why. Always sign-up with e-mail (and yes, for those who don't know, writing your GMail address and using the "sign-in with GMail" button are very different things).

I just realized that GitHub accounts can be suspended!

Important reminder to maintain a backup of any data stored on your online accounts.

It is incredibly easy to click past some OAuth prompt only to find out later your account has been used to do some shady stuff. In the early to mid 2010s it was a rampant issue on Twitter. Always double check what you are allowing some app to do with your stuff.

It seems like GitHub gave them the boot as well: https://github.com/NopeCHA/NopeCHA

Is it possible you got caught by some automated system that tries to prevent sockpuppet accounts from inflating stars?

What i take from this is that your personal actions on GitHub and the actions of a bot doing API calls are indistinguishable in their logs, otherwise it would be obvious that those stars have a caller that is not you.

Essentially how GitHub works is, when you sign in with the app, the app requires knowledge and data from the user. For example a simple GitHub integration telling you how many stars your repos have, they may need read access.

When you're asked to sign in, it will show you, this application can:

1. Read and manage your stars 2. Read and manage your repositories.

Be very careful when granting applications access because they can misuse it like this. GitHub integrations should be verified for editing repos and editing stars of the user, but that's just my opinion.

Slightly surprised by all of the victim blaming here.

The guy didn't intend to allow github star abuse from his account.

A slight aside:

It's interesting that things you create for one purpose can be turned into something else entirely by "culture". In this case, the primary reason for the addition of stars on Github was to make it easier to keep track of things you found interesting or useful. Their manual currently introduces stars like this: "Starring makes it easy to find a repository or topic again later."

But having many stars indicates popularity, and popularity indicates quality, and Github is used as a resumé…

When combined these factors turn the stars into a kind of currency, and brings in all the problems facing any system that handles any kind of currency. This may or may not have been Github's intention from the start, but it seems like they haven't really adapted their systems to treat access to starring powers like the access to currency it de facto is.

So be careful when you design things: the way they're used in the real world can transform something innocent into a big problem for all involved.

I read a lot of comments here and everybody's "Github this, Github that". It's 4 years since Github was bought by Microsoft, so here is the breaking news:

Github IS Microsoft.

So every time you read "Github" invoke that part of your brain that uses "ReplaceString" function and read "Microsoft" instead.

"Sing in with Microsoft" - do I really want to use that on "this obscure site" knowing that if my account gets suspended/banned, Microsoft won't care at all? That's the real question.

These are the common pitfalls for identity providers and their users. Usually you would have to check which claims the services requests from your account. I don't know the implementation of GitHub, but it should be their responsibility to display the needed permissions the service requests from your account. But these descriptions often aren't really transparent, you would need to know which GitHub API needs which permissions.

Yes, it is convenient, but third party login comes at a price and in my opinion that price is quite high. A bit funny (sorry) that it compromised their own product with false data. Since it is essentially their fault, you should get your account back and the service abusing your login should be removed from their identity provider. Probably already happend, but I fail to see how users should be indicted here.

I don't have any opinions on whether or not the OP should have done what they did, but it is a fairly concrete object lesson, as to why I don't use these SSO services.

I use 1Password and Spamex to maintain lists of DEAs and passwords. It's worked fine for years.

New fear unlocked; Being blocked from my github account.

Is there some easy way to mirror everything on GH to a NAS or something?

I all but stopped signing in with SSO because I don't want to give out my GH e-mail address. Every service gets its own alias so when I get spam, I know who leaked it.

This is the weird bit where signing in with your GitHub account (or Google account, or some others) has a dual purpose: it can be used as a SSO/identity provider, and it can also be used to grant third-party sites access to your GitHub (or whatever) account.

You just really need to be vigilant[0], unfortunately. Personally I don't use "Sign in with X" ever[1], for two reasons: I don't want to accidentally grant too much access (as happened here), and I don't want my account on third-party sites being tied to my account on the identity provider (both for reasons of privacy, and because I don't want to be stuck in a situation where I lose access to the third-party site due to an issue with the identity provider). So when I see a site that doesn't allow me to create my own account with them, I move on.

If you do decide to use "Sign in with X", then you need to carefully read what permissions to your account the third-party site is requesting, and opt out of those you don't want to give. And if you can't opt out, you need to live with not having an account on the third-party site.

It is super messed up that GitHub has suspended your account for this; it makes no sense whatsoever. This will be a third reason to add to my list of reasons why I don't use "Sign in with X" anywhere.

[0] Which is not a general solution! Any fix for a problem that involves "everyone who uses this needs to pay better attention" is doomed to fail, since many people don't -- and won't -- pay attention, and even people who usually do pay attention can make mistakes.

[1] There are a few exceptions to this, unfortunately. It's incredibly annoying that crates.io only allows GitHub login, but it's something I can't realistically do without.

GitHub usually asks the user to provide permissions explicitly. When you go through the OAuth flow, GitHub will show what permissions the app require and you have to provide them explicitly.

This is an unfortunate event and I hope GitHub will lift the ban from the ones affected and enforce ban on the people misusing this. But always check what permissions you are giving.

Tf illegitimate use do you have for solving captchas automatically? Play with abusive software you deal with the consequences.

Who is nopecha.com?

I mean, like as a person, a company, an entity. Maybe that's a strange cultural thing, but is anyone fine with giving them money or access to data without ANY information at all about who is behind that site?

No contact information at all, just a link to a Discord server and nothing else.

That whole operation is just illegal under any law if you ask me.

Shady software does shady stuff. Very surprising.

The real question for gh is why this is even available as a third party action via the oauth.

What possible legitimate reason could there be for this kind of action access?

GitHub asks users to type in the name of a project when deleting it. It seems they should ask users to type something in order to grant a third party access to a project. As someone who is working on a project that will require write access to repos, I support it.

It says something either about Github or HN that by now someone hasn't popped in the comments saying "Github employee here..."

People should contact the NopeCHA author over this. Refer to my previous comment about it: https://news.ycombinator.com/item?id=33769251

update: Looks like my account is back. I have not recieved any email confirmation but i just checked my github user and before it was 404 and now it is back. I was able to log in and all.

As i said, there has not been any email confirmation or notification from github regarding unbanning but this gives me a chance to get a copy of my repos.

for anyone wondering, the following is the exact text of the first response to my claim i got from github,

"Your account has restrictions imposed because it appears to have been used for the purpose of artificially inflating the popularity of GitHub accounts or repositories.".

so i ask again, if "manage stars" is a legitimate action that is not a problematic one in itself, how would i know, beforehand that going in to "sign in with github", that i would be giving the app stars access and that they were going to use to artificially inflate popularity of their repo? and that was a banable offense?

Follow up of this. The nopecha.com site does not have a Github sign in anymore (only Google at the moment). Looking through Github the organization nopecha seems to have been deleted and all its repositories return a 404 from Github, and seems to have been moved to a different organization recently created (and kept as public) Can't avoid feeling curious what has happened.

Probably a stupid question: Why can the user grant permission to third-party apps to star repos? What is the legitimate usage of this API?

> suddenly i am unable to log in to my github and the page just says "account suspended."

This happened to me the other day, out of nowhere. I have no idea why. At least OP managed to get a response out of their support, I've yet to get any sort of response after a couple weeks. All the other times I got an account banned from somewhere, I've always known why. In this case, I have literally no idea of what I did to get that kind of treatment

Maybe Github is purging accounts en masse or something? I have no clue

What I can say is this: Github/MS is highly unresponsive. The Copilot thing was highly disrespectful to users and shows how little regard MS has for the open source community

I self host gitea now and don't have any plans of using Github again for anything outside of school/work, where I don't have a choice (at least at the moment)

The service that Github offers has so many alternatives, there's literally no reason to stick around and play Micro$hit's head games (other than complacency)

Seems to me your first problem was trying to use a service like Nopecha in the first place. That immediately strikes me as a great way to get banned from whatever service you were planning on using it on. The fact that GitHub banned your account for Nopecha's actions is just a sideshow to that fact, in my opinion.

Part of the problem here is our cavalier use of "Sign in with ".

We software engineers can practice better, both in how we expose our development and production accounts and systems, and in what we encourage less-knowledgeable users to do.

(Maybe widespread hardware keys will make this problem go away before individual diligence does. Then we just have to tackle resisting the urge to copy&paste `workstation$ curl -sSL https://randomwebsite.weonlyjustlearnedof/something-shiny | sh`.)

"I just realized that GitHub accounts can be suspended!"

I was banned by github. https://github.com/ransom1538. All work lost. All stars lost. I created a weekend project to view and see other github projects - and pushed users to start projects they liked. I shouldn't have had that many beers! lol. My userbase was exploding after 24 hours. Their security team just ended my profile then ghosted me. My profile links on open source projects just return a 404.

My advice. Be careful!! with a github account you spent years building on and respect your master: github.

Ouch.

If you're on Github, go to "https://github.com/settings/applications" and you can see, and revoke, any OAuth accesses.

I just discovered that "Improbable" (the game engine backend company) had too much access, obtained because I once signed up to look at their SDK. I revoked that. (They used to be legit, but then they got involved with Yuga Labs, the Bored Ape crypto people, so trusting them is now questionable.)

I once signed up for Runtastic with my Google account. It then wanted access to my personal data which I denied. After that I kept getting marketing emails from them. The only way to unsubscribe was to delete my account. I tried to delete my account but their workflow required me to authorise them to read my Google data. I still didn’t want them to have access. I tried contacting support, their office, via social media. Nothing. No response. The lesson learned for me, never ever use SSO again.

You fell for a phishing site it seems.

I don’t understand why GitHub would be upset with you; seems pretty clear they should be taking action against the app that you were using, and that you didn’t want this either.

Scary. Gotta be super careful about granting scopes. I use signin with google all the time - just to avoid creating new passwords. Imagine if I accidentally grant the scope for a random site to read all emails. I hope that isn't even possible but I imagine it is - it likely would be fairly nonchalantly displayed in the list of scopes. I'm a developer who has implemented OIDC flows so in theory I should know better. What about everyone else?

It’s really worth reading Privacy policies: https://nopecha.com/privacy

We may sell and may have sold in the last twelve (12) months the following categories of personal information:

Category A: Identifiers

Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))

Category D: Commercial information

Category F: Internet or other similar network activity

Yeah this is exactly the problem with federated login.

One misstep your whole account gets canceled. Even other services you didn't violate but still need to login.

maybe, just maybe, having friction in logging into web services is a good thing.

i, for one, am not a fan of the tendency for every web service to require an account in the first place. making it easier for people to log in to these unnecessary accounts is helpful in discouraging this practice, as it will decrease utilization of services which require such superfluous accounts.

Ideally, schools should teach people how these access grant dialogs work and that you should be careful who you give access to what social media presence.

This is no different than somebody "logging in" via facebook and messaging everyone 3 minutes later that they lost their wallet and need $500 urgently.

Minus points to GitHub for going after the user and not the malicious app.

how about this. https://nopecha.com/ their website still has "sign in with google". how about someone uses a throwaway account and does the login workflow and see what happens? i dont have one so someone can see if they are doing some shady stuff there as well

That's terrible. I avoid SSO systems entirely for a whole bunch of reasons. I'll add this to my list.

Star farming is sad. Why would you ban for that? Sounds like their systems suck, and their patch is to ban users.

So now you can’t push or manage repos on your account? Since GitHub wants you to use one handle for everything, this is a new vector to screw over large open source projects or make it so someone is unable to work at their job.

Hope you can get access back soon!

If you are looking for captcha solving solutions you are likely up to no good.

I recently had a user (probably a robot) star all of my public repos. I never thought it could be a real user who didn't understand the repercussions of giving login to github.com.

Could it be that this wasn’t the official “Sign in with GitHub”, but a phishing version presented by NopCHA, so that they got your GitHub credentials?

Note to self: Another good reason to not use Popular SSO services, and instead continue creating a manual account for all.

gitter also asked something like this. like it wants to access my public repo. i took some time, but at the end i gave it. i thought it was a normal flow. after this, idk if that's normal. from now on i am not going to use sso esp github one.

Find and sue "nopecha". At least in Small Claims Court. Or talk to a lawyer. This might be good for substantial damages.

They're trying to hide, but they can't, not really, because they're a business that accepts payments. "nopecha" has a Chrome plug-in and domain registration with Google, along with a PayPal account. They can be found, but it may take a subpoena to Google or PayPal.[1]

"Nopecha" indicates on their site that they comply with California CCPA requests. Make one, and ask for your info and what they've done with it. That should yield more information. If they fail to reply within the 45 day time limit, file a complaint with the attorney general's office.[2]

[1] https://support.google.com/faqs/answer/6151275?hl=en

[2] https://www.oag.ca.gov/privacy/ccpa/enforcement

It seems they removed Github option. I only see signing up via Google.

M$ strike again!

Lmao the victim blaming on this one.

Github failed to indicate clearly what the consumer was going to use this person's credentials for.

This is Github's fault, end of story. If the permissions included "can star repos", instead of just "can read/write repos", then sure.

Github are too _lazy_ to build granular enough scopes; they should be able to ask "why are you using this scope?" and it should _never_ be the case that someone using one small part of the api has to ask for a scope granting blanket access.

Granted, there are quite a few issues with granularity of scopes/oauth for various other services, too.

Edit: also the stinking elitism in here; the worst part of the tech community. Just bc someone has a Github account doesn't mean they're some sort of super hacker, there are junior devs out there who could've easily done this and your response to them is "get gud scrub".

> i logged in, clicked through a bunch of pages because its the same drill everytime.

Nah, the list of permissions you were granting were right there. This is on you.

Sorry, but you gave them permission to do it.

Why are people blaming GitHub?

Making it easy and frictionless for developers to build GitHub integrations is what a good developer platform should do.

You've learned a lesson to not just blindly click through an application requesting permissions to your account.

GitHub did the right thing. While GitHub might have had better ways to deal with this kind of thing technically, those controls are rather expensive to implement for novel scam use cases if they weren’t in place prior to the abuse.

The blast radius of their strategy is desirable since it will also remove the accounts of all participants, willing or not. It doesn’t really matter if each individual zombie is a willing participant in the horde, you’re still going to indiscriminately fire on all of them.

Participants will often claim to be victims, and while that’s probably not happening here, it’s way more cost effective to ban everything touching the scam. Tons of free users complaining essentially doesn’t matter since these users were already not generating value. Their potential loss is regrettable, but acceptable.

Genuine victims will eventually be able to get their accounts restored via support after they’ve contained the problem, and accounts in on the scam won’t bother. If they were a paying customer I’m sure they’d have ways to get this resolved.

The en masse bans weren’t utterly necessary, but they were a faster and more effective resolution to the problem from GitHub’s perspective.

If the suggestion is “do something really expensive and considerate of the scammers” the correct answer is always no. Scams create enormous costs, asking them to increase the cleanup costs is the wrong approach.