I partially blame github for having very un-granular permissions -- a sign in with github ought to be possible without granting the site any permissions to do anything at all on behalf of your account, other than verify your identity via OAuth.
But I have no idea if that really is possible, and we have gotten used to granting sites permissions to github, specifically, beyond what they really need, because github often doesn't make it possible to give them what they really need. So we've been trained to be like, sure, whatever, okay, grant permissions.
(I used to complain to third-party sites when they were asking for more github permissions via oauth than they needed, and even say I woudln't use their service becuase of it. The answer was invariably "Sorry, github won't let us get the permissions we need without this overreach", and the times I had the energy to investigate, it looked like they were right! And we're talking really basic things, like read-only to a single private repo without write to all private repos in all organizations!)
However, on top of all that... this site is offering to automate solving captchas for you? Is there any non-sketchy use for this? I guess I am not too shocked that a site offering to take your money to help you bulk trick your way past captchas is... doing something else unethical too?
I think one other thing is missing. There's generally no way to review what a service or app does with the permissions it gets. There should be an access log for any API used through OAuth so you can ensure that what you signed up with is actually doing what it says it's doing with the permissions you've given it.
edit: And once there's an access log, there should also be a way for users to flag/report suspicious activity for review. There's so much more we could be doing to protect users.
Also, why can't I set a phantom/virtual/dummy profile for a specific app/service asking for permissions? Why do I have to choose between not using something and giving it access to everything it wants? Why can't I choose which real data it's allowed to see and which is dummy data, regardless of permissions?
I also blame GitHub for not having a way for a user to grant only some of the permissions requested. Every once in a while somebody on my team will try to look into CodeCov integration, because it sounds useful. And then we realize it wants the ability to write to our repo, plus the ability to manage arbitrary hooks, when it should just need the ability to write check results and read the (public) repository. Every time we give up and don't use it.
Pretty much everyone who uses GitHub for auth is going to want the user:email scope. But you can definitely do OAuth where that's all you ask for, and have no permissions to mess with the user's account.
That's good progress to see! But in addition to that being a public beta launched less than 2 months ago, that doesn't seem to cover the case of "sign in with GitHub". It's for personal access tokens, not OAuth.
hCaptcha is awful at this. You can request an 'accessibility cookie' by typing in an email address but for me it denied me with a generic error.
I contacted support, they asked me for IP and browser details. I responded and they gave me suggestions like using a VPN or rebooting the modem to pick up a new dynamic IP. :/
A screen reader is replaced by the audio, and otherwise for you to use the webpage you’re looking at it so you can see. What’s missing? I guess if you rely on braille because you’re deaf and blind?
Aside from accessibility, which a sibling poster noted, there's also just: CAPTCHAs are effing annoying. I am so tired of proving I'm not a robot over and over and over by giving Google free labor training their image recognition models.
But you pay for their services whether you actually use them or not, since reCAPTCHA is so prevalent across the internet. So yes, free labor is a good way to characterize it.
Yeah, I am very new to the dev world, but I was blown away by the amount of information that GitHub let me have for free when using their oAuth implementation. I'm honestly glad to hear this isn't normal.
But I have no idea if that really is possible, and we have gotten used to granting sites permissions to github, specifically, beyond what they really need, because github often doesn't make it possible to give them what they really need. So we've been trained to be like, sure, whatever, okay, grant permissions.
(I used to complain to third-party sites when they were asking for more github permissions via oauth than they needed, and even say I woudln't use their service becuase of it. The answer was invariably "Sorry, github won't let us get the permissions we need without this overreach", and the times I had the energy to investigate, it looked like they were right! And we're talking really basic things, like read-only to a single private repo without write to all private repos in all organizations!)
However, on top of all that... this site is offering to automate solving captchas for you? Is there any non-sketchy use for this? I guess I am not too shocked that a site offering to take your money to help you bulk trick your way past captchas is... doing something else unethical too?