Hacker News new | past | comments | ask | show | jobs | submit login
See who has OAuth Tokens to Access Your Google Account (google.com)
96 points by pchristensen on Oct 13, 2010 | hide | past | favorite | 12 comments



This is a list of sites I sign into using Google as my OpenId provider. That's not the same as having "Access [to] Your Google Account".


not only this. also all other privileges (contacts, gmail, analytics) you've shared with apps (maybe you don't).


I'm not naive enough to think that Google is looking out for the little guy in the privacy arena, but I assume this isn't the default (opt-out) behavior. Anyone have an authoritative link on this topic?


No, they don't give any permissions with OpenID. This page lists both OpenID and OAuth-using services. For an example of a service that uses OAuth, try LaTeX Lab (http://docs.latexlab.org/), which uses OAuth to get access to your Google Docs.


Thank you! I just revoked the authorization for most of the services that I wasn't using frequently but had signed-up one fine day.


Unless I'm mistaken, some of those I only granted single use tokens to, so they don't actually still have access.


google.com — Google Calendar [ Revoke Access ]

Oh?


That's kind of weird, I don't think I have this in my access list, but I use calendar all the time.

edit:Wow, guess not


Looks like it automatically comes back if I revoke it.


I'm trying to get some attention from Google about this (potential) privacy issue. How can I be sure that "google.com" is my own Google account? Why does the authorization get automatically renewed after I revoke it, and without my consent? Why does a Google service require an additional authorization to access my account, and why doesn't Google provide any information about it? Worse, I have no way to confirm that it isn't someone else's account that have full access to my data. If it's the case, someone may have read my private calendars for months, and the only way to stop this would be to delete my whole Google accounts and the 80+ services associated with it.

This issue has reported 4 months ago here http://www.google.com/support/forum/p/gmail/thread?tid=44a4a... and here http://blogoscoped.com/forum/173175.html (and I submitted a report at http://www.google.com/support/accounts/bin/request.py?contac...), but I haven't heard of any Google employee about it.

I'm 99.9% sure there's no privacy breach but I find troubling that they haven't reacted yet...


Thanks for this. It was very relevant to enter and just review my subscriptions. Tks


What we need to identify are consequences of OAuthing to someone we don't want to. Anyone have a source on that?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: