Accessing Webmail Addressbook: Goosync Gets it Right

Published on 20 October 2008

The Bad

There are a lot of services out there (SNS like Facebook) that offer you to import your email contacts to see if some of your existing friends are already on the service. Then you can connect to them. You're happy because you don't have to hunt for your friends, your friends are happy to connect to you and the service is happy because it makes you more likely to come back. Additionnally, they offer you an option to spam your friends not already on the service, but they usually do it in a respectful way (i.e. they make sure you do want to spam your friends, and which friends). However, 90% of the time - and even for high-profile, tech-savy companies like Facebook - they do it wrong. But really, really wrong. They ask you for your username and password and use it on your behalf to login to your webmail and retrieve your address book. This is bad. This is pretty much as bad as lending you credit card and PIN number to a stranger so he can do some shopping for you. When you do that, you're pretty much giving away the keys of your home. During that time, the service can make a copy and pay a visit to your home any time your want. And I don't know for you, but my gmail account is my single most sensible password (except for my banking password). The reason is that any service have a "reset my password" option that emails you a link. Therefore, get access to my primary email account and you get access to my whole online world. Heck, you can even kick me out by changing the password. Some may argue that Facebook or other website are nice people and won't do that. Well, I have no guarantee that they will not store the password. I have no guarantee that one of there thousands of employees won't have access to it. Furthermore, this practice is teaching users that it's OK to give credentials for a service to another, and they're making scammers work much easier.

The Good

So, what's the solution? That's simple, for GMail Google now offers an API for third party to retrieve contacts of a user. The process for the user is simple:
  • Third party redirects to a page on Google asking "Do you want to grant access to your contacts for this service?" If the user is already logged in to Google, he doesn't even need to input his login and password.
  • User says "yes", and gets redirected back to the third party service.
Voilà! Now, the service can access the contacts - and only the contacts. They can't read your email. They can't change your password. And at any time, you can revoke the access from a page on Google. That's what GooSync does (a service to synchronize your Google contacts and calendar to your mobile phone) and that's what everyone should do. It really feels good to see a service using this API, so I can give them access to my contacts (and getting a real benefit from it) without giving them full access to my mailbox. Users: Don't give away your login info to third party! You're giving away the keys of your home and taking a big risk. Web Developers: Don't ask your users for their gmail/yahoo/hotmail credentials! You're teaching them it's OK to do so, and making them more vulnerable to scammers.
TAGS: gmail  goosync  Misc  phone