The risk of using apps that access your Gmail account

Discuss

15 Responses to “The risk of using apps that access your Gmail account”

  1. wolfwitch says:

    I’m no security expert- but I thought OpenAuth only authenticated a given user. I don’t believe it allows a Web site that uses it to actually access any of your Google services.

  2. It would be good to have an answer to that, wolfwitch! Gad. Does this mean we all have to start reading the fine print for every click through? The world needs a vetting service for acceptable and unacceptable fine print that regular people can check out for comfort. Sort of like a writer’s beware site.

    • toupeira says:

      Only apps with the “GMail” permission will have full access to your mails (you can see all your authorized apps at https://accounts.google.com/IssuedAuthSubTokens ). Most sites I use only have the “Sign in using your Google account” permission, which shouldn’t give access to any data.

      But yeah, the authorization dialog could be a lot more clear about what permissions you’re granting exactly.

      • Godfree says:

        I clicked your link but got “The page you requested is invalid.”  I was able to access 
        https://www.google.com/settings/ which then let me into my own account and fiddle with the controls there. Thanks, toupeira!

        • toupeira says:

          Ah it looks like BoingBoing added the closing paranthesis to the link, and I also have user account switching enabled which adds the “/b/0″ to the URL. I’ve edited the comment so it hopefully works now.

          • Antinous / Moderator says:

            If you type a ) or a . or a , at the end of a link, it’s going to end up in the URL. I fix dozens of them every day.

  3. I think people need to understand OAuth before think it is the issue. OAuth allows you to give access to a third party without needing to give them your credentials. What the article is saying is that this is done so easily people are not considering what they are allowing access to. Nothing new here and it shouldn’t about OAuth. 

  4. brianary says:

    Yeah, that’s not actually what’s happening. OAuth collects a token after *Google* authenticates you and confirms the intent that was sent.

  5. Mr_Smooth says:

    Everyone should check the link provided by toupeira to see what you’ve authorized. You may be surprised.

    I noticed that to sign up for commenting at the Chicago Tribune site using OAuth, you give the Trib access to your Gmail contacts.

    I deleted everything that had anything more than “Sign in using your Google account “

  6. MrEricSir says:

    Yeah, this article pretty much makes no sense.  Any software that has your Google credentials can access your Gmail with the default settings.  There’s nothing new about this.

    • kosso says:

      Not quite true. Each application you connect has a different “scope” setting. 
      That might be read/write access to Blogger, YouTube, etc. Or maybe simply to know ‘who’ you are using your Plus account (no write access here yet).

      Access to Gmail is a specific one too. See : http://code.google.com/apis/gdata/faq.html#AuthScopes

  7. inedible says:

    Really?

    Just…

    Really?

  8. . says:

    This is it.. nothing else. No Facebook or Twitter, so no cross site hijinks with that either.
     Authorized Access to your Google Account
    Connected Sites, Apps, and Services
    You have granted the following services access to your Google Account:

    “GoogleCL for account: ………..” —
    Google Calendar
    [ Revoke Access ]“GoogleCL for account: ………..” —
    Google Docs
    [ Revoke Access ]Android Login V1 —
    Full Account Access
    [ Revoke Access ]

    Looks like Microsoft has nothing too..
    Manage your shared information
    You’re not sharing information with any sites.

Leave a Reply