"Anil Dash counted 88 apps using his Google account, with nine granted access to Gmail." - I'm amazed he can sleep at night. While twitter and facebook aren't that bad, I wouldn't allow anyone to access my gmail account. Additionally I just checked the tokens list and removed 1 out of 3 apps authorised for google docs, because I don't use it any more. With the amount of security issues for web applications these days, you can safely assume that even if you trust the company, they're going to get hacked at some point in the future and copy/delete all information they have access to.
Again - even if "fortunately, Unroll.me is a totally legit NYC-based startup providing a useful service", that says nothing about their security practices. For all we know, someone already has access to their servers and they will never detect the breakin.
Pretty much exactly what I thought. Facebook and Zynga the only one that I gave access to. I guess Zynga ended up there because I played Zynga poker once or twice. Removed it.
I proposed a solution to this problem a couple of years ago. Service providers could monitor how the OAuth token is used by the application and provide a report to users. If a few users could then audit their logs and rate applications, we would quickly flag malicious apps. Services providers would have to make only a few changes to their current OAuth implementations.
FTA: "If one’s hacked or the list of tokens leaked, everyone who ever used that service risks exposing his complete Gmail archive."
Is that even true? The advantage of Oauth over the "password anti-pattern" is that you can grant limited rights. i.e. sharing my address book with Facebook. That's personal information, but it's not my entire email archive.
It looks like granting access the Gmail Atom feed allows access to new Inbox emails (but not the entire email body, I think.) But if you haven't granted that permission, your emails should be safe. (I think. Any expert opinions?)
The Gmail OAuth system pretty much grants developers unfettered access to your inbox. I built a service called Syphir on top of it that literally examined every email you receive, checked the subject/sender/body against some customer filters, and then acted on the email (starred, deleted, marked as read, delayed, pushed to your phone, etc). Google profiled our mobile app when they launched this service: http://googlecode.blogspot.com/2010/03/oauth-access-to-imaps...
There are two reasons they built this system: (1) So apps won't have to ask for your Google password. This password would give them access to much more than just Gmail. And if you wanted to revoke their access, you'd have to change your password, whereas with OAuth you can just flip a switch in your Google settings. (2) So apps won't have to do hacky stuff with curl to interact with Gmail. It's much easier to use an official API.
That said, if it's possible for an application to read/act on your email, it's possible for them to store your email. And if it's possible for them to store your email, it's possible for a hacker to hack it. So if you're going to use something based on Gmail OAuth, make sure you trust them and that they aren't actually storing your data.
It all comes down to trust and this author is right, he shouldn't trust these companies. If it isn't clear who they are and how they handle your data then you shouldn't trust them.
This highlights a growing problem I see with newly launched consumer oriented sites (many posted here on HN). Startups are ignoring legal and regulatory requirements around privacy and seem completely insensitive to customer's feelings in this area.
That is going to hurt them in the long run. They'll lose customers like this author. Things are moving fast with regard to privacy around the world. The FTC tagged both Google[1] and Facebook[2] last year for privacy violations. The EU is pushing forward with new, much tougher, regulations[3] and still week after week I see sites come out that don't even have a privacy policy[4].
Wow, unroll.me got a huge traffic influx from being linked in Wired, but when I follow the link it won't let me sign up due to not being on their beta list. It did offer a beta sign up link after that, but that page was broken. Even if it wasn't, having the extra step will destroy the conversion rates. The amount of sign ups they are losing is making me cry. There are startups that would kill for that kind of free, good press, link from a huge site...
Your email is often used as the master key to all your other accounts. Especially if you have old signup or password reset emails hanging around, controlling it makes it easy for someone to control everything else.
So there's more than just privacy at stake here. I go to almost paranoid lengths to protect it from attacks known and unknown because once someone takes it, they can take over almost everything else.
I've been seeing a lot of adverts recently for Google security. This third-party authentication system for Gmail, as described, seems like a complete step in the wrong direction if they're trying to educate regular users about the importance of keeping email - one's online master key - secure. Lock you screen, use a 2 step password, oh, and this new startup with a nice website would like to read your entire email history: Allow/Deny?
Why do OAuth tokens invalidate upon password change? I have some apps that need feed posting access for Facebook pages and users are often confused when they stop working after they change their password.
Makes sense as a security feature. Changing your password implies your account's been compromised; killing OAuth authorizations is a way of making sure no one snuck in any authorizations without you noticing in the process.
2-step verification has made that practice obsolete.
I've read that it's better to use 2-step in conjunction with a strong password that you'll remember, versus regularly migrating from one weak or medium strength password to another.
What are the steps required by random service before they can start requesting access to Gmail? Is there any form of review before Google issues them an application key, etc?
I think this is difficult to avoid as more apps authenticate logins though sites such as Google, Twitter, and Facebook.
You could always create a special GMail account that you use to sign up for spam generating offers or deals and use that to authenticate logins you're not sure about.
That's the link to list the apps that have access to your account, but for the life of me, I can't work out how to get there from any of the other settings pages...
It's a little scary that the authorization is all-or-nothing. Many sites use OAuth just for sign-in (like Stackoverflow), so surely it makes sense to have different levels of access (I was under the impression that fine-grained access control was the whole point of token-based OAuth).
i'm not deeply familiar with OAuth, but it seems that each access token should have not just a revoke ability for the granter, but also a TTL/expiration date which can be altered or seen. i'm also not sure if there are more granular permissions or differentiating tokens, perhaps i want to share my contacts/address book but not my email, and only up to a max of 3 requests per month...
Or just to login with a service as that's probably most people's most prevalent reason to use oauth? I'm surprised that gmail don't have a permissions system like facebook, it concerns me that right now it's such an all or nothing option.
You can use OAuth with your Google account to login to other services without granting them any other permissions. The few apps I've granted access to have a single permission that says "Sign in using your Google account."
Again - even if "fortunately, Unroll.me is a totally legit NYC-based startup providing a useful service", that says nothing about their security practices. For all we know, someone already has access to their servers and they will never detect the breakin.