I couldn’t help but interrupt someone at the coffee shop as I saw them giving their Gmail username and password into some random third party system to “grab your contacts”.
I get why sites have been doing this, but now we have the Google Contacts API there shouldn’t be the need.
What astounded me was the logic that this fellow used. He talked about how he used really good, different passwords, and never kept them in his email, so if the third party site was malicious they wouldn’t get anything good.
He didn’t seem to realize that by giving away the key to your email account, you are doing a LOT more than letting someone look at that email to your mum. With it, they have the keys to your forgot password? life. They can quickly go to accounts that you have all over the shop, simulate a forgotten password use case, and now they DO have access to your account info.
It isn’t about what is in your email before hand, it is the access to future email that matters.
This is why I was over the moon when the contacts API saw the light of day, and I hope to see all providers do similar work.