I believe it's actually a proxy server, not a clone. The one thing that is worrying me a bit is their login form. Username and password would go through their server and we have to assume that the credentials are logged there.
They also proxy another login security mechanism for generating a random authenticity_token that seems to be used for 3rd party sign-in. I'm not sure if it would be possible to hijack or pin user sessions by intercepting that endpoint. Sign-in protocols and flows like OAuth should make it impossible or extremely hard to pull that off, since the login service provided by GitHub or Twitter would only redirect with an authorization code response to dev.to, theoretically ruling debunkism out as a "man in the middle".
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I believe it's actually a proxy server, not a clone. The one thing that is worrying me a bit is their login form. Username and password would go through their server and we have to assume that the credentials are logged there.
They also proxy another login security mechanism for generating a random
authenticity_token
that seems to be used for 3rd party sign-in. I'm not sure if it would be possible to hijack or pin user sessions by intercepting that endpoint. Sign-in protocols and flows like OAuth should make it impossible or extremely hard to pull that off, since the login service provided by GitHub or Twitter would only redirect with an authorization code response to dev.to, theoretically ruling debunkism out as a "man in the middle".