Hi all - co-founder of Plaid here. We're in the process of migrating this repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon to be) Android SDK. However, I messed up the order of operations with this migration and can empathize with the reaction. I personally chatted with a lot of the commenters on the original issue before we did this and more than happy to engage/get feedback from anyone else over email/phone/in-person. Feel free to shoot me an email at william [at] plaid [dot] com if you want to chat/have any feedback.
I don't think people are upset about the repo being "archived" and having lost access to the issue, per se. I think people are (justifiably) furious because you offer a product which is fundamentally insecure in it's current state and seem to refuse to fix it. And it's not that websites which are using your product are susceptible to attacks, but that a malicious website can impersonate your product and it will be indistinguishable from a legitimate site. Let that sink in. A malicious website can be indistinguishable from a legitimate customer of yours, and users WILL enter their banking information. That is the heart of people's completely justified outrage here, and it's baffling that anybody on your security team could have possibly signed off on this. If people on your security team don't see the problem here they should be immediately fired and never work in the security field again. You guys better have some really expensive lawyers, because it feels like you are being criminally negligent here and should absolutely be held liable when some users inevitably have their lives destroyed as a result.
Can we get a way where we can centrally manage linked accounts? I have at least 5 apps that use plaid and I should be able to go to your website and see what authorizations I have enabled and disable them.
Yes! We're actually working on something in this space that I'm really excited about. If you shoot me an email I can get you on the beta and would love your feedback!
There’s no glory in being excited to launch a basic permissions/access panel for end users of an auth product that should’ve shipped on Day 1. Shameful.
Obviously. But why would banks ever do that? They see Robinhood, Lending Club, Venmo, etc as competitors. No way there going to open up API’s to them unless the government forces the banks to do it.
So maybe Plaid will be what Venmo was to Zelle. I have been following this space for a while now. When Plaid came into the picture, it made Yodlee be more open. So maybe in 10 more years we will have open bank APIs.
They have been trying to get banks to have APIs for years with no luck -- ofx/ofc. Mint went their own way for scraping and Watsi died because they did NOT want to do scraping. I was actually surprised when 2 years ago Xero got a "direct integration with Wells Fargo. Synapse got some funding a couple of days ago one can certainly hope
