Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It’s due to crypto scammers using it. From the founder’s post:

At some point in the past crypto scammers used JSFiddle to host pages with a wallet code and posted links to that on Twitter.

Due to the nature of JSFiddle, anyone can post anything, so wallet codes are ok – we did implemented a content filter to shadow-ban these.

I asked Twitter if they they could help out and ban twitter accounts that were posting scam tweets that included links to the rouge fiddles.

Twitter just went the easy route and blocked all jsfiddle.net links instead of blocking spammer accounts on their platform.

Tried to contact Twitter many many times, with no reply whatsoever. They most likely have no-explanation-needed-policy, which is why they never replied.

There's nothing that can be done here unless somebody has contact to a higher op at Twitter who has the decision power to help out here.



I don't understand how posting a "wallet code" is dangerous. Is it mining coins while you are browsing the code? Then it just a minor annoyance. Also, browsers should block cryptominers when they are in the background tab.


I don’t think it’s mining code, I think it’s wallet addresses posted by scammers. Here’s an example of the scam I think this is intended to curb: https://s3.amazonaws.com/aws-website-staticfiles-25g9k/elon_...


I don't understand how someone could be tech-savvy enough to know about ETH and actually own some, while at the same time falling for such scams.


I would wager most of the people dealing in crypto currencies are actually precisely the kind of people that would fall for pretty much anything. I don't think it's a stretch to say that the fact that they deal in crypto currencies is actually a pretty good indication that they would.


I think you're conflating categories. Here's what I think: https://i.imgur.com/d4ocNXa.png

That is to say, gullible people are found everywhere but I don't think people inclined to fall for fraud are the same as get-rich-quick tech-heads.


Responding by a Venn diagram, love it.

More to the point - there is a significant number of people who started learning about computer security precisely because they got some cryptocurrencies. And frankly, if someone wants to really understand the details, it's hard to miss all the frequent warnings and examples of scams, hacks, leaks.


"Dunning-Krugerrands"


The people speaking at events as experts on crypto mostly don’t know what they are doing.


Avoiding scams requires being people-savvy. Tech-savvy is unrelated.


I saw one of those fake Elon Musk posts in my stream and my first thought was "Wow! Is Elon pushing shady blockchain money things now?" It wasn't until a few seconds later that I realized there was no blue-check and it wasn't him....


Almost all people who know about bitcoin and ETH are looking for that cheap buck.


It is a numbers game. It is basically free and if you get 1 in a million than hey that's money. Same with Nigerian email spam I suppose.


These are probably the people who jumped on the hype train and bought at the previous peak.


holy shit Jita scammers have come out into the real world now.

"send me 1,000 isk and i'll send you 2,000 isk back!"


Oldest scam in the book. o7


o7 same thought occured to me m8. Fly safe!


Eh, at least it's not CODE


ok sent.


Paul is your Resume template open sourced anywhere , I like that time-line style?


I visited that page. I didn't check but I don't think any of my satoshis were stolen. Don't see what's dangerous there.


The page itself is not the scam. It's a page showing tweets where somebody is scamming people on Twitter, pretending to be Elon Musk giving out ETH.


Blocking cryptominers or other script isn't possible because of JavaScript's nature as Turing-complete language, much less with new shiny WebWorkers/PWAs. It's also not just a minor annoyance when miners, trackers, and all kinds of other nefarious or just plain garbage scripts drain your batteries and consume power/bandwidth for no other reason than browser vendors being busy to develop webapp platforms and world domination schemes rather than declarative and privacy-focussed content consumption/authoring ... browsers.


You can detect crypto miners pretty easily by their behavior.


I think Digital Ocean shared your view, until recently, when false positives caused them to shutdown a customer business, and a broken support procedure caused them to keep it down. Search HN archives for Digital Ocean from the last week or two and you should be able to find that story.


I don't know the terminology well, but further down in the discussion, it looks like it was some kind of scam rather than "just" mining.


Couldn't you do the same thing with github.io, S3 Websites, Netlify, the list goes on? Why would they single out JSFiddle among numerous services where one can upload arbitrary code?


The laziness of scammers never ceases to amaze.

There's the theory that misspellings in a Nigerian email are meant to filter only the truly gullible, but IDK if that is true.


> There's the theory that misspellings in a Nigerian email are meant to filter only the truly gullible, but IDK if that is true.

I think the crazier misspellings with wild character substitutions only started after bayesian spam filtering.


https://www.microsoft.com/en-us/research/publication/why-do-...


in this case is laziness another word for efficiency?


lazyness of the people trying to stop those scams should amaze you.

Nothing proves the scammers are not using those other alternatives for all you know.


So: the amount of people who own crypto and lose it in a free-money-just-give-me-money-first scam > legit developers who want to share code.

Why is twitter bending over backwards to protect the former crowd?


On a complete tangent, I think "rogue" might be the most misspelled word for those that otherwise have good spelling. It's still jarring every time I see it, decade after decade.

And "loose" instead of "lose", but that one is just confusing.


I see "break" ALL THE TIME where "brake" should be used.

    rouge -> rogue
    loose -> lose
    lose  -> loose
    break -> brake
And many more that I can't recall at the moment... In my youth I spent an absolutely obscene amount of energy correcting these people, bit now I just automatically lower the veracity of what they're saying each time I see some literacy problem.

That isn't fair to those people because not everyone speaks English as a first language, and phones autocorrect a lot of things that should not be corrected.


Some of these are actually mistakes native speakers are prone to make, since they didn't learn the language from text first.


"lead -> led" (past tense of the verb "to lead") is also a pretty common one for native speakers.


on the other hand, if nobody had corrected my use of "loose" I wouldn't know it.


I legitimately thought we were talking about reddish colored fiddles for a moment.


"Tounge" really grinds my gears, I don't know why.


The take away here is to never do anything nice for Twitter because they won't reciprocate and won't even return your emails.


Crypto scammers can simply switch to GitHub Pages. Can Twitter ban github links?


There's a fairly big difference: JSFiddle is completely anonymous but GitHub Pages and similar services require accounts and at least in the case of GitHub they have a functional abuse team.

In contrast, JSFiddle can take something down but that's where it ends unless the scammer used a dedicated IP which is easily traced to them.


And even then, scammers can always switch to custom domains. It seems futile to block arbitrary code execution unless they only allow whitelisted domains.


Why not ? They did it for JSFiddle. They own the platform, so technically they do what they want.


The backlash from banning GitHub links would be magnitudes larger than JSFiddle.


[flagged]


Please don't post unsubstantive comments or shallow dismissals here.

https://news.ycombinator.com/newsguidelines.html


The low-effort snark is unnecessary and weakens the conversation. At least make it witty.

JSFiddle is a pretty low tier target that most people won't miss. Github links aren't. Also, I'd imagine Github Pages is more responsive to taking down scamware, it at least requires an account, and has more of an interested in keeping malicious behavior off the platform.


What demographic does twitter like to hire? Probably people who use github a lot, huh?


What is "a wallet code"?


I assume they mean a mining script - so that the person running the jsfiddle would be mining cryptocurrencies, and the proceeds would go to the scammers wallet address.


If that is true, Twitter should also block every newspaper out there. Their bloated websites max out my CPU too.


Get uMatrix and block scripts.


I am thinking code that would leverage browser extension wallets like Metamask and access the wallet of the user and steal the crypto.


It should just be an address, the scam would be to try convince you to send money there.


>> By wallet code you mean a crypto mining script yes?

>I think I saw some variant of this. It's one of those "send some ETH and receive 2x more back!" With fake "live" transaction listing and fake testimonials.

> Edit: if memory serves me correct, the transactions being listed are actually not fake, though the live aspect is. Same transaction always reappear as if they're new if you refresh, and those transactions is the 2x amount that got send back. It's all just the scammers trying to make the site look legit.

- From the above linked GitHub Issue


What's next? Banning QR codes containing wallet address?


Banning all links whatsoever because any web page can contain a miner, a malware or just offensive material.


Videos and images can contain offensive material and twitter is full of them.


Twitter is full of offensive anything.


It is pretty remarkable that no matter who you are, Twitter will find a way to piss you off.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: