The risk of using apps that access your Gmail account

Andy Baio, in an opinion piece for Wired News: "Since Gmail added oAuth support in March 2010, an increasing number of startups are asking for a perpetual, silent window into your inbox. I’m concerned oAuth, while hugely convenient for both developers and users, may be paving the way for an inevitable privacy meltdown."


  1. I’m no security expert- but I thought OpenAuth only authenticated a given user. I don’t believe it allows a Web site that uses it to actually access any of your Google services.

  2. It would be good to have an answer to that, wolfwitch! Gad. Does this mean we all have to start reading the fine print for every click through? The world needs a vetting service for acceptable and unacceptable fine print that regular people can check out for comfort. Sort of like a writer’s beware site.

    1. Only apps with the “GMail” permission will have full access to your mails (you can see all your authorized apps at ). Most sites I use only have the “Sign in using your Google account” permission, which shouldn’t give access to any data.

      But yeah, the authorization dialog could be a lot more clear about what permissions you’re granting exactly.

        1. Ah it looks like BoingBoing added the closing paranthesis to the link, and I also have user account switching enabled which adds the “/b/0” to the URL. I’ve edited the comment so it hopefully works now.

          1. If you type a ) or a . or a , at the end of a link, it’s going to end up in the URL. I fix dozens of them every day.

  3. I think people need to understand OAuth before think it is the issue. OAuth allows you to give access to a third party without needing to give them your credentials. What the article is saying is that this is done so easily people are not considering what they are allowing access to. Nothing new here and it shouldn’t about OAuth. 

  4. Yeah, that’s not actually what’s happening. OAuth collects a token after *Google* authenticates you and confirms the intent that was sent.

  5. Everyone should check the link provided by toupeira to see what you’ve authorized. You may be surprised.

    I noticed that to sign up for commenting at the Chicago Tribune site using OAuth, you give the Trib access to your Gmail contacts.

    I deleted everything that had anything more than “Sign in using your Google account “

  6. Yeah, this article pretty much makes no sense.  Any software that has your Google credentials can access your Gmail with the default settings.  There’s nothing new about this.

    1. Not quite true. Each application you connect has a different “scope” setting. 
      That might be read/write access to Blogger, YouTube, etc. Or maybe simply to know ‘who’ you are using your Plus account (no write access here yet).

      Access to Gmail is a specific one too. See :

        1. Yes. That’s right. After you’ve given an application the rights to access a certain “scope”, then it then has access to the data provided by those API endpoints.

          See also the ‘playground’ app here, which can let you choose a’scope’ and then you can Authorize it, which will then show you the authentication request allow/deny page which a user would see, etc.

  7. This is it.. nothing else. No Facebook or Twitter, so no cross site hijinks with that either.
     Authorized Access to your Google Account
    Connected Sites, Apps, and Services
    You have granted the following services access to your Google Account:

    “GoogleCL for account: ………..” —
    Google Calendar
    [ Revoke Access ]”GoogleCL for account: ………..” —
    Google Docs
    [ Revoke Access ]Android Login V1 —
    Full Account Access
    [ Revoke Access ]

    Looks like Microsoft has nothing too..
    Manage your shared information
    You’re not sharing information with any sites.

Comments are closed.