It's a pretty nasty one, since it uses their standard OAuth flow with an app "Google Docs" to have users grant full access to their email and contacts.
1. I can't believe Google doesn't have basic filters to disallow developers from registering an app named "Google Docs"
2. Perhaps there should be some more validation/limits associated with allowing apps on the platform that can gain full access to email. A secure email account is the One True Source of authentication in the digital world. Google should make it way harder for people to get tricked into granting full access to their inbox.
> 1. I can't believe Google doesn't have basic filters to disallow developers from registering an app named "Google Docs"
Believe! I think this is just one of the many cases where after the fact everyone is like "oh wow, how didn't they think about it". But that doesn't say you would have thought about this before reading this.
> A secure email account is the One True Source of authentication in the digital world.
The gmail account you use to talk with people shouldn't be the same one you use to send password resets to.
It's fine to allow CRM apps or whatever to have OAuth access to your regular gmail account, you just shouldn't give read-write access to the one you use for your retirement account or whatever. (Read-only access is much less dangerous, because even if someone can trigger a password reset email they can't delete it afterwards.)
> The gmail account you use to talk with people shouldn't be the same one you use to send password resets to.
The vast majority of services don't support setting a separate password reset email, so that would be a showstopper for most people. You'd end up just having another email account you have to check all the time (since non-reset email would also go to this account), and could still easily get bitten by this sort of spam/phishing.
> You'd end up just having another email account you have to check all the time
You'd need an extra tab open in your browser that you'd need to check multiple times per day. But most automated messages don't require a response within fifteen minutes or whatever, so there isn't much extra cognitive overhead. And for most people you probably also don't need that email address authed on your phone.
You don't seem to understand. Services send emails to users for a reason. Those users typically want to actually be able to read those emails. That means they need to actually check it regularly, and probably want it available on their phones as well. The email address used here is also the email address the service uses for password reset emails. If you redirect these services to a secondary email that you don't auth on your devices, then you're also greatly reducing the utility of these services.
The cognitive overhead is not my objection (and I agree it wouldn't be much). The problem is that most people's personal email isn't primarily about correspondence anymore; it's about interacting with the various services where you have accounts or subscriptions. So your special password-reset email is also the place where you receive your social media notifications (because your social media account doesn't let you set a separate email for notifications and password resets). So now your password-reset email account is just as vulnerable to phishing because it's _not_ just your password-reset email, and there's no way to make it so.
1. I can't believe Google doesn't have basic filters to disallow developers from registering an app named "Google Docs"
2. Perhaps there should be some more validation/limits associated with allowing apps on the platform that can gain full access to email. A secure email account is the One True Source of authentication in the digital world. Google should make it way harder for people to get tricked into granting full access to their inbox.