I couldn’t help but interrupt someone at the coffee shop as I saw them giving their Gmail username and password into some random third party system to “grab your contacts”.

I get why sites have been doing this, but now we have the Google Contacts API there shouldn’t be the need.

What astounded me was the logic that this fellow used. He talked about how he used really good, different passwords, and never kept them in his email, so if the third party site was malicious they wouldn’t get anything good.

He didn’t seem to realize that by giving away the key to your email account, you are doing a LOT more than letting someone look at that email to your mum. With it, they have the keys to your forgot password? life. They can quickly go to accounts that you have all over the shop, simulate a forgotten password use case, and now they DO have access to your account info.

It isn’t about what is in your email before hand, it is the access to future email that matters.

This is why I was over the moon when the contacts API saw the light of day, and I hope to see all providers do similar work.

We tend to often trust the people that we load JavaScript from too much. So many new startups require you to just include that little tidbit of JavaScript. “Just copy and paste this somewhere on your blog”.

Of course, if the site gets compromised in anyway you are loading script from the Bad Guys. If you are a bad guy what are you doing? Looking for third parties that offer services that people embed, and watching like a hawk to see them mess up their DNS so you can pounce. You have automated systems to do this.

Watch out, and let’s get together to work out a possible solution, whether it be short term or longer.