Massive oversight in allowing non-Google apps to call themselves Google, in Google's own web interface. Incredible.https://twitter.com/zachlatta/status/859843151757955072 …
-
-
Doesn't that just change the phish from "click this auth button" to "paste this code in your settings"? People will do it if it looks legit.
-
Not if the settings procedure makes it clear you're giving something new access to your email.
-
The fundamental bug here is that the OAuth "give app access to your email" click-thru looks JUST LIKE OAuth "identify yourself to a site".
-
These are fundamentally opposite-direction authentication tasks and should look/act nothing like each other.
-
Absolutely agree with this. Sorry, I thought you meant that all authorisations should be via your account settings.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.