On 2.10.2012 9:40, Ole Wolf wrote:
The code currently demonstrates that Google's requirement that users manually authorize applications to access their data can easily be circumvented, meaning that it provides a false sense of security. All you need to do is provide your Google username and password to an application, and it will be able to do anything with any of your Google data without you knowing any better.
Users should never enter their Google credentials to any application asking for those. Only in either browser authorization page or in a trusted SSO user agent. The needed methods are clearly outlined in OAuth 1/2 RFCs. Of course nothing will protect users if they willingly give the credentials to untrusted party.
Otherwise it becomes notable security risk because the same account credentials are used to authorize credit card payments in context of Play store, AdWords, etc.
_______________________________________________ SyncEvolution mailing list [email protected] http://lists.syncevolution.org/listinfo/syncevolution
