Massive oversight in allowing non-Google apps to call themselves Google, in Google's own web interface. Incredible.https://twitter.com/zachlatta/status/859843151757955072 …
-
-
Replying to @SwiftOnSecurity
Yep. Also you cannot tell native Google or Twitter apps from outside ones. How about a blue checkmark for native ones?
1 reply 0 retweets 15 likes -
Replying to @zeynep @SwiftOnSecurity
How about NEVER allowing click-through to grant any app access to your account/private data?
1 reply 0 retweets 1 like -
The only way to auth a third-party client access to your GMail should be initiating the request yourself from inside GMail Settings.
1 reply 0 retweets 5 likes -
Doesn't that just change the phish from "click this auth button" to "paste this code in your settings"? People will do it if it looks legit.
2 replies 0 retweets 0 likes -
Not if the settings procedure makes it clear you're giving something new access to your email.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @Kemp_J and
The fundamental bug here is that the OAuth "give app access to your email" click-thru looks JUST LIKE OAuth "identify yourself to a site".
1 reply 0 retweets 1 like
These are fundamentally opposite-direction authentication tasks and should look/act nothing like each other.
-
-
Absolutely agree with this. Sorry, I thought you meant that all authorisations should be via your account settings.
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.