Comments on: The risk of using apps that access your Gmail account

By: kosso

kosso — Sat, 11 Feb 2012 20:24:00 +0000

Yes. That’s right. After you’ve given an application the rights to access a certain “scope”, then it then has access to the data provided by those API endpoints.

See also the ‘playground’ app here, which can let you choose a’scope’ and then you can Authorize it, which will then show you the authentication request allow/deny page which a user would see, etc.

https://code.google.com/oauthplayground/

By: MrEricSir

MrEricSir — Sat, 11 Feb 2012 20:17:00 +0000

As far as I can tell that document only applies to the GData API.

By: kosso

kosso — Sat, 11 Feb 2012 18:38:00 +0000

Not quite true. Each application you connect has a different “scope” setting.
That might be read/write access to Blogger, YouTube, etc. Or maybe simply to know ‘who’ you are using your Plus account (no write access here yet).

Access to Gmail is a specific one too. See : http://code.google.com/apis/gdata/faq.html#AuthScopes

By: .

Sat, 11 Feb 2012 15:13:00 +0000

This is it.. nothing else. No Facebook or Twitter, so no cross site hijinks with that either.
Authorized Access to your Google Account
Connected Sites, Apps, and Services
You have granted the following services access to your Google Account:

“GoogleCL for account: ………..” —
Google Calendar
[ Revoke Access ]“GoogleCL for account: ………..” —
Google Docs
[ Revoke Access ]Android Login V1 —
Full Account Access
[ Revoke Access ]

Looks like Microsoft has nothing too..
Manage your shared information
You’re not sharing information with any sites.

By: inedible

inedible — Sat, 11 Feb 2012 06:35:00 +0000

Really?

Just…

Really?

By: MrEricSir

MrEricSir — Sat, 11 Feb 2012 05:38:00 +0000

Yeah, this article pretty much makes no sense. Any software that has your Google credentials can access your Gmail with the default settings. There’s nothing new about this.

By: Antinous / Moderator

Antinous / Moderator — Fri, 10 Feb 2012 23:46:00 +0000

If you type a ) or a . or a , at the end of a link, it’s going to end up in the URL. I fix dozens of them every day.

By: toupeira

toupeira — Fri, 10 Feb 2012 23:33:00 +0000

Ah it looks like BoingBoing added the closing paranthesis to the link, and I also have user account switching enabled which adds the “/b/0″ to the URL. I’ve edited the comment so it hopefully works now.

By: Godfree

Godfree — Fri, 10 Feb 2012 23:31:00 +0000

I clicked your link but got “The page you requested is invalid.” I was able to access
https://www.google.com/settings/ which then let me into my own account and fiddle with the controls there. Thanks, toupeira!

By: Mr_Smooth

Mr_Smooth — Fri, 10 Feb 2012 21:51:00 +0000

Everyone should check the link provided by toupeira to see what you’ve authorized. You may be surprised.

I noticed that to sign up for commenting at the Chicago Tribune site using OAuth, you give the Trib access to your Gmail contacts.

I deleted everything that had anything more than “Sign in using your Google account “

By: brianary

brianary — Fri, 10 Feb 2012 20:10:00 +0000

Yeah, that’s not actually what’s happening. OAuth collects a token after *Google* authenticates you and confirms the intent that was sent.

By: Poke With Stick

Poke With Stick — Fri, 10 Feb 2012 20:09:00 +0000

I think people need to understand OAuth before think it is the issue. OAuth allows you to give access to a third party without needing to give them your credentials. What the article is saying is that this is done so easily people are not considering what they are allowing access to. Nothing new here and it shouldn’t about OAuth.

By: toupeira

toupeira — Fri, 10 Feb 2012 20:07:00 +0000

Only apps with the “GMail” permission will have full access to your mails (you can see all your authorized apps at https://accounts.google.com/IssuedAuthSubTokens ). Most sites I use only have the “Sign in using your Google account” permission, which shouldn’t give access to any data.

But yeah, the authorization dialog could be a lot more clear about what permissions you’re granting exactly.

By: Lynda Williams

Lynda Williams — Fri, 10 Feb 2012 19:51:00 +0000

It would be good to have an answer to that, wolfwitch! Gad. Does this mean we all have to start reading the fine print for every click through? The world needs a vetting service for acceptable and unacceptable fine print that regular people can check out for comfort. Sort of like a writer’s beware site.

By: wolfwitch

wolfwitch — Fri, 10 Feb 2012 19:43:00 +0000

I’m no security expert- but I thought OpenAuth only authenticated a given user. I don’t believe it allows a Web site that uses it to actually access any of your Google services.