Hacker News new | past | comments | ask | show | jobs | submit login

The authentication happens on a different site (the Google login site) then, and you only get back a token. The worst the ad could do is steal your token then, which will only be valid for a little while.

OTOH if it’s so easy to steal it, they could just steal the next one, not needing any credentials at all. Or steal the refresh token?

How would an ad possibly steal the token then?

Rephrase: how would one make sure it’s protected.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact