It's not clear at all. The scope UI says 'Repositories - Public repositories'. It does not sound dangerous and only reveals that the access is r/w (not r/o) after expanding the dropout. It does not mention stars at all.
Sounds like the basis for an argument for refining the scopes such that it is abundantly clear which scopes write data and which ones do not.
No one should be surprised that allowing an untrusted program to write files and permissions through an operating system could lead to a security exploit.
Many would likely be cognizant of the risk of becoming a member of a botnet.
Allowing untrusted programs to control your digital services is not fundamentally different, in my current perspective.
Truly though, wouldn’t you expect that your IP might be banned if your computer was compromised by a ddos botnet?
Your GitHub user account was compromised by a bad actor, so it shouldn’t be surprising nor considered victim blaming.
Of course, GitHub might cross the line to being unreasonable if they become aware of this as a potential security issue and fail to mitigate the phishing risks that they are exposing their customers to.
edit: restoring your user account to good standing, if absolutely necessary, is certainly something to strive for, but be aware that it can take years or never, from anecdotes that I’ve heard about Google, Apple, Twitter, etc. Microsoft/GitHub/LinkedIn won’t likely be any different, in that regard
> Your GitHub user account was compromised by a bad actor, so it shouldn’t be surprising nor considered victim blaming.
But GitHub sees where did the request to create the stars come from. The requests all came with authentication tokens associated with the given malicious site. They have all the data to see how the account got “compromised”, and they also can see that the account owner is unlikely to have knowingly participated in the “star farming”.[1]
The obvious and correct solution is to delete all stars created through tokens associated with the malicious site[2], disable access for the malicious site and write a letter to the compromised users.
1: further absurdity is that by deciding that the stars were farmed Github already made the decision that they are not comming organically from users. Because if they were comming organically from the users then it wouldn’t be star farming, just a popular repo. So why are they punishing the users then?
2: one more absurdity is that stars don’t cost github anything. It is just a number in a DB. It is not like they incurred a cost due to this attack. Github decided that they care about some stupid stars, and make the farming of them a bannable offense.
An example requesting the 'public_repo' scope (the client_id is a random one from the internet): https://github.com/login/oauth/authorize?client_id=33a703d01...