> Never ever share your login credentials with a third-party.
It uses Google's OAuth; the site never sees your password
> Why is this a web app?
Because it's for the average user, and people who don't have time or skill to export their data, research graph formats, then write some ETL to get it into that format, then download Gephi to view it. It makes great sense as a webapp.
Works great, perfectly determined which people in my workplace are programmers and which are biologists (by giving them a different color).
Could one subvert the graph building with the following? Construct an email address A1 that will forward emails to you from person B. Likewise, you communicate with B through their B1. After a period of time (or n messages), switch the pass through entity to a different email address A2 and make a rule on the mail server to bounce the emails from B if they try to reach you at A1. Keep using A1 with someone else.
That's the first we've heard of that error. When the user logs out, they are also presented with the link to revoke access via Gmail. Sorry you weren't able to get to that page. If you want to make sure that your data is deleted, we can do a manual delete of your metadata (if it exists on our server) for you. Just write to us at the address on the website.
very interesting, analyzed 40k+ emails and I didn't find that much I didn't already know. More surprised about what can be seen with just an oauth token.
It's not just any OAuth token it's a token that asks for permissions to "view all your mail" among other things.
Most Oauth tokens won't ask for this highly elevated permission.
OAuth is not designed around Authentication, the Auth in OAuth is actually about Authorisation. It was designed for this purpose, to authorise others to have access to your mail, or contacts, etc. That it has been co-opted for Authentication purposes (particularly in Oauth2) has just been a side effect.
17 comments
[ 2.8 ms ] story [ 44.3 ms ] threadNever ever share your login credentials with a third-party.
This could have been done as local open-source tool. Why is this a web app?
You can do this yourself with tools like Gephi.
It uses Google's OAuth; the site never sees your password
> Why is this a web app?
Because it's for the average user, and people who don't have time or skill to export their data, research graph formats, then write some ETL to get it into that format, then download Gephi to view it. It makes great sense as a webapp.
> You can do this yourself
You're completely missing the point
Could one subvert the graph building with the following? Construct an email address A1 that will forward emails to you from person B. Likewise, you communicate with B through their B1. After a period of time (or n messages), switch the pass through entity to a different email address A2 and make a rule on the mail server to bounce the emails from B if they try to reach you at A1. Keep using A1 with someone else.
Also, anyone else get a stuck logout&delete button after getting the data? Ended up having to revoke access via Gmail Accounts.
Most Oauth tokens won't ask for this highly elevated permission.
OAuth is not designed around Authentication, the Auth in OAuth is actually about Authorisation. It was designed for this purpose, to authorise others to have access to your mail, or contacts, etc. That it has been co-opted for Authentication purposes (particularly in Oauth2) has just been a side effect.