Perpetual Window into Gmail

"Anil Dash counted 88 apps using his Google account, with nine granted access to Gmail." - I'm amazed he can sleep at night. While twitter and facebook aren't that bad, I wouldn't allow anyone to access my gmail account. Additionally I just checked the tokens list and removed 1 out of 3 apps authorised for google docs, because I don't use it any more. With the amount of security issues for web applications these days, you can safely assume that even if you trust the company, they're going to get hacked at some point in the future and copy/delete all information they have access to.<p>Again - even if "fortunately, Unroll.me is a totally legit NYC-based startup providing a useful service", that says nothing about their security practices. For all we know, someone already has access to their servers and they will never detect the breakin.

I proposed a solution to this problem a couple of years ago. Service providers could monitor how the OAuth token is used by the application and provide a report to users. If a few users could then audit their logs and rate applications, we would quickly flag malicious apps. Services providers would have to make only a few changes to their current OAuth implementations.<p>My colleagues and I developed this idea in a paper (see: <a href="http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5421609" rel="nofollow">http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5421...</a>). Back then we also had proof of concept running on our server.

FTA: "If one’s hacked or the list of tokens leaked, everyone who ever used that service risks exposing his complete Gmail archive."<p>Is that even true? The advantage of Oauth over the "password anti-pattern" is that you can grant limited rights. i.e. sharing my address book with Facebook. That's personal information, but it's not my entire email archive.<p>I believe this list is the scope of possible Oauth permissions: <a href="http://code.google.com/apis/gdata/faq.html#AuthScopes" rel="nofollow">http://code.google.com/apis/gdata/faq.html#AuthScopes</a><p>It looks like granting access the Gmail Atom feed allows access to new Inbox emails (but not the entire email body, I think.) But if you haven't granted that permission, your emails should be safe. (I think. Any expert opinions?)

It all comes down to trust and this author is right, he shouldn't trust these companies. If it isn't clear who they are and how they handle your data then you shouldn't trust them.<p>This highlights a growing problem I see with newly launched consumer oriented sites (many posted here on HN). Startups are ignoring legal and regulatory requirements around privacy and seem completely insensitive to customer's feelings in this area.<p>That is going to hurt them in the long run. They'll lose customers like this author. Things are moving fast with regard to privacy around the world. The FTC tagged both Google[1] and Facebook[2] last year for privacy violations. The EU is pushing forward with new, much tougher, regulations[3] and still week after week I see sites come out that don't even have a privacy policy[4].<p>[1]<a href="http://www.informationweek.com/news/security/privacy/228200049" rel="nofollow">http://www.informationweek.com/news/security/privacy/2282000...</a><p>[2]<a href="http://www.washingtonpost.com/business/technology/facebook-settles-ftc-privacy-complaint-agrees-to-ask-users-permission-for-changes/2011/11/29/gIQAqyJC9N_story.html" rel="nofollow">http://www.washingtonpost.com/business/technology/facebook-s...</a><p>[3]<a href="http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm" rel="nofollow">http://ec.europa.eu/justice/newsroom/data-protection/news/12...</a><p>[4]<a href="http://fandalism.com/" rel="nofollow">http://fandalism.com/</a>

Wow, unroll.me got a huge traffic influx from being linked in Wired, but when I follow the link it won't let me sign up due to not being on their beta list. It did offer a beta sign up link after that, but that page was broken. Even if it wasn't, having the extra step will destroy the conversion rates. The amount of sign ups they are losing is making me cry. There are startups that would kill for that kind of free, good press, link from a huge site...

Your email is often used as the master key to all your other accounts. Especially if you have old signup or password reset emails hanging around, controlling it makes it easy for someone to control everything else.<p>So there's more than just privacy at stake here. I go to almost paranoid lengths to protect it from attacks known and unknown because once someone takes it, they can take over almost everything else.<p>Just something to think about.

I've been seeing a lot of adverts recently for Google security. This third-party authentication system for Gmail, as described, seems like a complete step in the wrong direction if they're trying to educate regular users about the importance of keeping email - one's online master key - secure. Lock you screen, use a 2 step password, oh, and this new startup with a nice website would like to read your entire email history: Allow/Deny?<p><a href="http://www.youtube.com/watch?v=iAaSBvUD3_w" rel="nofollow">http://www.youtube.com/watch?v=iAaSBvUD3_w</a><p><a href="http://www.youtube.com/watch?v=YJ0TgHKDDkw" rel="nofollow">http://www.youtube.com/watch?v=YJ0TgHKDDkw</a>

How do I check how many apps I've given authorization to for this kind of thing?

<i>It’s so simple and pervasive that even savvy users have no issue letting dozens of new services access their various accounts.</i><p>No, that's patently false.

Why do OAuth tokens invalidate upon password change? I have some apps that need feed posting access for Facebook pages and users are often confused when they stop working after they change their password.

What are the steps required by random service before they can start requesting access to Gmail? Is there any form of review before Google issues them an application key, etc?

I think this is difficult to avoid as more apps authenticate logins though sites such as Google, Twitter, and Facebook.<p>You could always create a special GMail account that you use to sign up for spam generating offers or deals and use that to authenticate logins you're not sure about.

<a href="https://accounts.google.com/b/0/IssuedAuthSubTokens" rel="nofollow">https://accounts.google.com/b/0/IssuedAuthSubTokens</a><p>That's the link to list the apps that have access to your account, but for the life of me, I can't work out how to get there from any of the other settings pages...<p><i>EDIT</i> it's second from the bottom, in the "Accounts and Import" (3rd across) <a href="https://mail.google.com/mail/#settings/accounts" rel="nofollow">https://mail.google.com/mail/#settings/accounts</a><p>It's a little scary that the authorization is all-or-nothing. Many sites use OAuth just for sign-in (like Stackoverflow), so surely it makes sense to have different levels of access (I was under the impression that fine-grained access control was the whole point of token-based OAuth).

The title needs a s/Perpetial/Perpetual/, badly. Aargh.

i'm not deeply familiar with OAuth, but it seems that each access token should have not just a revoke ability for the granter, but also a TTL/expiration date which can be altered or seen. i'm also not sure if there are more granular permissions or differentiating tokens, perhaps i want to share my contacts/address book but not my email, and only up to a max of 3 requests per month...

On a related note, do you ever wonder how strong the passwords the authors of the Chrome extensions you use are?