Strange request to access script file for add-on

[Monique Szpak]

Hi all,

I've received an email "Request for access" to the script file of a published add-on. This add-on was published nearly 18 months ago, it is one of 4 published add-ons, and this is the first time I've received such a request.

The request contains the name and email address of the requester. I've no idea who this person is.

From: "Some One (via Google Apps Script)" <som...@gmail.com>

The email contents are: 

som...@gmail.com is requesting access to the following file: 

<Link to file>
[Open sharing settings]

The Link opens my script and the Open button opens the script's sharing dialogue.

I've just gone through installing the add-on and inspecting all code, links, options and related website content in case I had somehow included a link. Nothing I can see. There must be a link to it somewhere. Its early and I've not had coffee yet so perhaps I'm missing something obvious?

I Googled the sender name and found him on LinkedIn where his picture matches his Google picture. He's a bit of an old IT spod so perhaps he was just fishing around to see if he could find the code.

Naturally I'm not going to grant access but I'm curious as to how such a request would be generated. 

Has anyone else received a script access request?

M

 

[Amy Schmitt]

Personally i would ask a person of power. Ive read the first page twice. I got hacked. Actually manipulated. Lost all my electronics. Just got em back. If someone asked me that. I would put em on hold. For a long time. 

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/6e3c54fd-fd03-403d-bce3-3c3fa9de84a5%40googlegroups.com.

[Romain Vialard]

Yes I can confirm that I received a lot of "Requests for access" yesterday - 10, for 3 different add-ons.

It happened before. I suppose there's a bug happening from time to time, where a user ends up on the script edit url and he clicks on the "request access" without knowing what to do.

So, don't worry, it's not related to something you did / misconfigured. It can happen again (it happened a few times for me during the last month, I received one or 2 access requests at a specific time, then nothing for days, then new access requests, always from new users).

[Monique Szpak]

I have noticed that some changes to the install/uninstall process have become apparent lately so perhaps this is just an undesirable side effect and it will be fixed by the devs soon.

Thanks!

[Steve Webster]

I had one a few weeks ago for the first time. After checking the "Show Original" of the email and IP address was found. That IP address was from Mountain View CA,which is Google's HQ. Then I hoped this was not an attempt from Google themselves.

Kind Regards,

Steve Webster

SW gApps LLC, President 

Google Product Expert in: Google Apps Script, Drive, and Docs 

Google Vendor (2012-2013) || Google Apps Developer Blog Guest Blogger 

Add-ons: Text gBlaster and Remove Blank Rows

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/0820653c-84c9-4268-87a8-ab9d96de9bba%40googlegroups.com.

[Faustino Rodriguez]

To ask for access to a script file you only need the Google file id of that script (either standalone or embedded)

And that file id is accessible when inspecting the add-on sidebar code, within the [the grand-parent] iframe src tag

I guess it should NOT be that way, but it is there ...

[Dimu Designs]

Yet another point of vulnerability...I just hope that when Google addresses this issue we don't end up with more restrictions on the dev side of things. 

[Andrew Apell]

I think I have received 3 or 4 or these in the past month but I just ignore and move on.

It's always like this:

I should email one of them and find out what they clicked to make this happen

[Alan Wells]

I received one request for permission to my add-on code years ago, after I first published my add-on, and never had one since.  I'd be curious to know if this happens just to, or mostly to, people with paid add-ons.  A hacker could be looking for payment/customer information.

I make most of my function names private by adding an underscore to the end.

https://developers.google.com/apps-script/guides/html/communication#private_functions

Most of my function calls to the server from the client side go through one main function.  That avoids showing lots of server function names in the client side code.

You can't put a private function name on:

google.script.run.exampleFunctionName();//Cant put an underscore on the function name

It would be meaningless to put a private function name in the client side code, because anyone can see the source.

[Andrew Apell]

@Alan, They can view the source? How?

[Alan Wells]

No, someone can't view the server side source code in your add-on.  It is however possible to get any of your server function names from the client side, if a function name is not private.  So, if someone knew a server side function name, they could modify the client side script, and make a google.script.run.functionName() call to that known server function, and get the return value.  Is that a problem?  For the most part, probably not.  It depends.  But it's better to provide little or no knowledge of your code.  If you had a function named:

function refund_Pay_Pal()

You wouldn't want someone to know the name of that function.

[Andrew Apell]

Excellent recommendation Alan!

I came across this underscore feature while researching Google's Closure Compiler.

I hadn't implemented it yet but your post made me make the change.

[Romain Vialard]

Definitely a bug on Google side.

It happened again and I was able to replicate the issue.

It happens during the add-on installation. The scope authorization popup displayed during installation is replaced by this "Request access" Google Drive screen, as if the script wasn't correctly deployed as an add-on.

[Romain Vialard]

Thus, when you receive such "request for access" message, you can assume that a user tried and failed to install your add-on, due to a temporary error on Google side.

As this "request for access" message contains the email address of the user, you could advise him to try to install again.

[Monique Szpak]

I got a couple more just now. Also received some "service not available" exceptions in the past few days. Google do seem to be having some issues.

[Alan Wells]

It just happened to me for the first time.  Two emails asking for access to my script file.  Plus I've had one user of a new add-on reporting sporadic failures.  Sometimes it works, sometimes it doesn't.  Creating a calendar event, for example.  If my code works 2 out of 3 times for exactly the same thing, then it's probably not something wrong with my code.  It's probably something wrong at Google.  People who are willing and able to pay for services, aren't going to want to pay anything for something that lets them down on a regular basis.