Whoa, I'm very surprised at the amount of "told you so" and blaming the user in this thread. How many times are we going to retread the same tired arguments in this industry? Not everyone who uses github and other SSO sources is a elite hacker that knows exactly what the buttons they're pressing mean, plus sometimes we just make dumb mistakes. At the very least github should make it much higher friction to give a third party access to fuck with your account, and only make it dead simple to act as a identity provider.
The UX for the authorization prompt is awful. The only difference between a regular sign in prompt and authorizing access to repositories is a single word: "Repositories".
Everyone over reaches on permissions though. It's practically industry standard to ask for a whole bunch of permission you don't need. Such that the likes of Google have multi-year efforts to crack down on it and reduce the ability to do it (in say Android).
It's also a matter of UX. Github (or anyone with social login) should be clear about what your granting. "Do you trust this website? They will be able star repos on your behalf"
> "Do you trust this website? They will be able star repos on your behalf"
... "and if they do this too often, it's your account that will be punished" (in big bold red text and with a 15 second delay before the authorize button is enabled).
because every time this happened, I will always think,
great, now company gonna waste another resource for the benefit of the stupid, careless, lowests common denominator, and absolutely no benefit whatsoever (or worse) to people with common sense.
