

Perpetual Window into Gmail - twentysix
http://www.wired.com/epicenter/2012/02/perpetual-window-into-gmail/

======
viraptor
"Anil Dash counted 88 apps using his Google account, with nine granted access
to Gmail." - I'm amazed he can sleep at night. While twitter and facebook
aren't that bad, I wouldn't allow anyone to access my gmail account.
Additionally I just checked the tokens list and removed 1 out of 3 apps
authorised for google docs, because I don't use it any more. With the amount
of security issues for web applications these days, you can safely assume that
even if you trust the company, they're going to get hacked at some point in
the future and copy/delete all information they have access to.

Again - even if "fortunately, Unroll.me is a totally legit NYC-based startup
providing a useful service", that says nothing about their security practices.
For all we know, someone already has access to their servers and they will
never detect the breakin.

~~~
Arelius
And really, 88 apps? I don't even use a single one.

------
vincent123
I proposed a solution to this problem a couple of years ago. Service providers
could monitor how the OAuth token is used by the application and provide a
report to users. If a few users could then audit their logs and rate
applications, we would quickly flag malicious apps. Services providers would
have to make only a few changes to their current OAuth implementations.

My colleagues and I developed this idea in a paper (see:
[http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5421...](http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5421609)).
Back then we also had proof of concept running on our server.

------
celticjames
FTA: "If one’s hacked or the list of tokens leaked, everyone who ever used
that service risks exposing his complete Gmail archive."

Is that even true? The advantage of Oauth over the "password anti-pattern" is
that you can grant limited rights. i.e. sharing my address book with Facebook.
That's personal information, but it's not my entire email archive.

I believe this list is the scope of possible Oauth permissions:
<http://code.google.com/apis/gdata/faq.html#AuthScopes>

It looks like granting access the Gmail Atom feed allows access to new Inbox
emails (but not the entire email body, I think.) But if you haven't granted
that permission, your emails should be safe. (I think. Any expert opinions?)

~~~
csallen
The Gmail OAuth system pretty much grants developers unfettered access to your
inbox. I built a service called Syphir on top of it that literally examined
_every_ email you receive, checked the subject/sender/body against some
customer filters, and then acted on the email (starred, deleted, marked as
read, delayed, pushed to your phone, etc). Google profiled our mobile app when
they launched this service: [http://googlecode.blogspot.com/2010/03/oauth-
access-to-imaps...](http://googlecode.blogspot.com/2010/03/oauth-access-to-
imapsmtp-in-gmail.html)

There are two reasons they built this system: (1) So apps won't have to ask
for your Google password. This password would give them access to much more
than just Gmail. And if you wanted to revoke their access, you'd have to
change your password, whereas with OAuth you can just flip a switch in your
Google settings. (2) So apps won't have to do hacky stuff with curl to
interact with Gmail. It's much easier to use an official API.

That said, if it's possible for an application to read/act on your email, it's
possible for them to store your email. And if it's possible for them to store
your email, it's possible for a hacker to hack it. So if you're going to use
something based on Gmail OAuth, make sure you trust them and that they aren't
actually _storing_ your data.

------
jnorthrop
It all comes down to trust and this author is right, he shouldn't trust these
companies. If it isn't clear who they are and how they handle your data then
you shouldn't trust them.

This highlights a growing problem I see with newly launched consumer oriented
sites (many posted here on HN). Startups are ignoring legal and regulatory
requirements around privacy and seem completely insensitive to customer's
feelings in this area.

That is going to hurt them in the long run. They'll lose customers like this
author. Things are moving fast with regard to privacy around the world. The
FTC tagged both Google[1] and Facebook[2] last year for privacy violations.
The EU is pushing forward with new, much tougher, regulations[3] and still
week after week I see sites come out that don't even have a privacy policy[4].

[1][http://www.informationweek.com/news/security/privacy/2282000...](http://www.informationweek.com/news/security/privacy/228200049)

[2][http://www.washingtonpost.com/business/technology/facebook-s...](http://www.washingtonpost.com/business/technology/facebook-
settles-ftc-privacy-complaint-agrees-to-ask-users-permission-for-
changes/2011/11/29/gIQAqyJC9N_story.html)

[3][http://ec.europa.eu/justice/newsroom/data-
protection/news/12...](http://ec.europa.eu/justice/newsroom/data-
protection/news/120125_en.htm)

[4]<http://fandalism.com/>

------
lnanek
Wow, unroll.me got a huge traffic influx from being linked in Wired, but when
I follow the link it won't let me sign up due to not being on their beta list.
It did offer a beta sign up link after that, but that page was broken. Even if
it wasn't, having the extra step will destroy the conversion rates. The amount
of sign ups they are losing is making me cry. There are startups that would
kill for that kind of free, good press, link from a huge site...

~~~
dorianj
They appear to have fixed it? When I click on sign up, it goes to the gmail
oath page...

------
Natsu
Your email is often used as the master key to all your other accounts.
Especially if you have old signup or password reset emails hanging around,
controlling it makes it easy for someone to control everything else.

So there's more than just privacy at stake here. I go to almost paranoid
lengths to protect it from attacks known and unknown because once someone
takes it, they can take over almost everything else.

Just something to think about.

------
rhplus
I've been seeing a lot of adverts recently for Google security. This third-
party authentication system for Gmail, as described, seems like a complete
step in the wrong direction if they're trying to educate regular users about
the importance of keeping email - one's online master key - secure. Lock you
screen, use a 2 step password, oh, and this new startup with a nice website
would like to read your entire email history: Allow/Deny?

<http://www.youtube.com/watch?v=iAaSBvUD3_w>

<http://www.youtube.com/watch?v=YJ0TgHKDDkw>

------
forrestthewoods
How do I check how many apps I've given authorization to for this kind of
thing?

~~~
superprime
Under your 'Account settings', go to 'Authorizing applications & sites' in the
first section (Security).

~~~
andrewcooke
curious. i had "localhost" listed there. what does that mean? i revoked access
and am still logged in to gmail.

(i know what localhost means, in that it is the name associated with
127.0.0.1, but how is it a "connected site, app or service"?)

~~~
aptwebapps
Perhaps someone showed you a web app demo on their desktop or laptop (and said
app was installed on the same machine) and you used Google to sign in.

------
literalusername
_It’s so simple and pervasive that even savvy users have no issue letting
dozens of new services access their various accounts._

No, that's patently false.

~~~
aptwebapps
For certain values of savvy, I guess.

------
bemmu
Why do OAuth tokens invalidate upon password change? I have some apps that
need feed posting access for Facebook pages and users are often confused when
they stop working after they change their password.

~~~
ConstantineXVI
Makes sense as a security feature. Changing your password implies your
account's been compromised; killing OAuth authorizations is a way of making
sure no one snuck in any authorizations without you noticing in the process.

~~~
there
_Changing your password implies your account's been compromised_

While it may be in response to a compromise, it's generally good security
practice to change your password periodically.

~~~
shaka881
2-step verification has made that practice obsolete.

I've read that it's better to use 2-step in conjunction with a strong password
that you'll remember, versus regularly migrating from one weak or medium
strength password to another.

------
rhplus
What are the steps required by random service before they can start requesting
access to Gmail? Is there any form of review before Google issues them an
application key, etc?

------
scottilee
I think this is difficult to avoid as more apps authenticate logins though
sites such as Google, Twitter, and Facebook.

You could always create a special GMail account that you use to sign up for
spam generating offers or deals and use that to authenticate logins you're not
sure about.

------
6ren
<https://accounts.google.com/b/0/IssuedAuthSubTokens>

That's the link to list the apps that have access to your account, but for the
life of me, I can't work out how to get there from any of the other settings
pages...

 _EDIT_ it's second from the bottom, in the "Accounts and Import" (3rd across)
<https://mail.google.com/mail/#settings/accounts>

It's a little scary that the authorization is all-or-nothing. Many sites use
OAuth just for sign-in (like Stackoverflow), so surely it makes sense to have
different levels of access (I was under the impression that fine-grained
access control was the whole point of token-based OAuth).

------
unwind
The title needs a s/Perpetial/Perpetual/, badly. Aargh.

------
leeoniya
i'm not deeply familiar with OAuth, but it seems that each access token should
have not just a revoke ability for the granter, but also a TTL/expiration date
which can be altered or seen. i'm also not sure if there are more granular
permissions or differentiating tokens, perhaps i want to share my
contacts/address book but not my email, and only up to a max of 3 requests per
month...

~~~
Folcon
Or just to login with a service as that's probably most people's most
prevalent reason to use oauth? I'm surprised that gmail don't have a
permissions system like facebook, it concerns me that right now it's such an
all or nothing option.

~~~
slavak
You can use OAuth with your Google account to login to other services without
granting them any other permissions. The few apps I've granted access to have
a single permission that says "Sign in using your Google account."

------
simonbrown
On a related note, do you ever wonder how strong the passwords the authors of
the Chrome extensions you use are?

