Ubuntu has full access to the Google account through the Chromium browser?

[L K]

I became a browser through the Linux Mint repository.

I go to Gmail.

Then I check here https://myaccount.google.com/permissions?pli=1 and I see that Ubuntu has full access to my account.

I forbid access.

I change the password.

Again I go to Gmail.

Again I check here https://myaccount.google.com/permissions?pli=1 and again I see that Ubuntu has full access to my account.

Is there reason to worry?

[PhistucK]

Something tells me this might be related -

https://groups.google.com/a/chromium.org/forum/#!searchin/chromium-dev/identity%7Csort:date/chromium-dev/XnS6bSfqaK4/afYNEE6pAAAJ

☆PhistucK

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/8e9523db-2488-48f4-a15a-81aa0a13767b%40chromium.org.

[vita...@google.com]

+msarda@ directly to check whether this is related.

[Mihai Sardarescu]

Hi L K,

What you see in that list if the application that have access to your account via OAuth 2.0 authorization token. In this particular case, I suppose you are using the Chromium Ubuntu derivative. I also suppose that this Chromium derivative has configured its name as Ubuntu in the Google developer console (these are all suppositions, so you may want to reach out to the Chromium Ubuntu owners for confirmation).

Starting recently, when you sign in to Google web (e.g. to gmail), Chrome (and Chromium derivatives) gets and OAuth 2.0 token in addition to a cookie. This is why you see that application appearing in https://myaccount.google.com/permissions?pli=1 . You need not worry about this.

Cheers,

- Mihai

[PhistucK]

What can the browser do with those tokens, though?

☆PhistucK

--

--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/7c0bfbf9-1ca1-478a-a49c-c097ca79bf93%40chromium.org.

[Mihai Sardarescu]

Like cookies, the OAuth 2.0 token gives a wide access to your Google account (but then again you just entered your Google account credentials in this Chromium app so it means that you trust this application). Today Chrome (and its derivatives) uses this token today only for downloading the user profile information (the image, the full name on the account) to provide personalized "turn sync on promos". Chrome will also use the same token when you choose to enable sync from such a promo. We are also working on giving access to the account information to extensions via the chrome.identity API before the user enables sync. In the future we will use the token for more assistive features in Chrome.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+unsubscribe@chromium.org.

[PhistucK]

While you trust it to pass the credentials safely to somewhere, it does not mean you want (not trust, want) to let the browser (not the website) do stuff with your account (even if it is just to fetch information).

Signing into Google !== Signing into the browser :|

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/7c0bfbf9-1ca1-478a-a49c-c097ca79bf93%40chromium.org.

--

--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/3137f479-6f72-4efe-b563-d637ab25a838%40chromium.org.

[Jochen Eisinger]

On Tue, Jul 10, 2018 at 1:46 PM PhistucK <phis...@gmail.com> wrote:

While you trust it to pass the credentials safely to somewhere, it does not mean you want (not trust, want) to let the browser (not the website) do stuff with your account (even if it is just to fetch information).

Signing into Google !== Signing into the browser :|

If you type your account credentials into a piece of software, that piece of software has full control over your account. Aside from the technical details that Mihai explained, I think it's reasonable to point this out in our UI given that we produce both the identity provider and the browser.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CABc02_%2BwphehEJjHDffV8qbYiPRERKims0REhXQ-EFbzFHT8rQ%40mail.gmail.com.