got-your-back icon indicating copy to clipboard operation
got-your-back copied to clipboard

Published 20 hours ago verified publisher icon GAM-team

Privacy concerns

Open billythemusical opened this issue 2 years ago • 8 comments

Hi there - can someone explain to me if, in authorizing this app, I am authorizing a third party access to my private information (emails, etc.)? I am mainly asking because, at one point in the verification process, it asks me to sign in to my Google Account using my password, but the browser window URL is not google.com, but https://gyb-shortn.jaylee.us/atar2j

Thanks!

billythemusical avatar May 22 '22 16:05 billythemusical

That's just a redirect / short link. You will notice your browser is being redirected immediately.

aggregated avatar May 28 '22 11:05 aggregated

The short answer is No, you are not.

Slightly longer answer. You are authorising your own Google Cloud project to act on your behalf, and on others' behalf. So when you run GYB, you will not have to provide credentials for every action. The credentials are stored in the JSONs you create during installation and setup. Those files are super important you don't share them with others, or leave them in an unsafe location.

NoSubstitute avatar Jul 04 '22 10:07 NoSubstitute

I have the same question. @NoSubstitute, thanks for the explanation! A couple of questions I have:

  • how can I verify that a third party does not have access to my credentials? For example, how can I personally verify that https://gyb-shortn.jaylee.us/atar2j can't access my credentials?
  • is there a way to simply hand FYB the client_secrets.json that I can download from Google, and have it avoid the web authorization altogether?

More specifically, if I

  1. Create a project at console.google.com
  2. Enable that project to use the GMail API
  3. Create OAuth credentials for that project and download it locally into client_secrets.json
  4. Supplyclient_secrets.json to GYB,

then shouldn't that be all that GYB requires to download my email? But if I do this, I find that it is asking me to "authorize a third party app". Why is this step required, and what does it do that the steps above don't do?

I trust this project given it's FOSS and well used, but for something as private as email, I'd love to trust but verify, hence the questions. Google seems to make it really hard to tell what is being given authorization, which is yet another reason these questions have come up for me.

Thanks a bunch in advance!

redstreet avatar May 18 '23 09:05 redstreet

When you authorise, it shows you exactly what you are authorising. For GYB to work with Gmail, it should show that your project needs full access to Gmail, understandably. During the setup of GYB you authorise GYB to set it up, but that authorisation can be removed afterwards.

Yes, you can do all the things manually.

The bit about "third-party app", I'm not sure what you are referring to. Perhaps @jay0lee does and can explain what's going on, and how you can be certain that nothing is done automatically.

NoSubstitute avatar May 18 '23 10:05 NoSubstitute

Thank you, @NoSubstitute. I did follow the manual directions, but it's the verification part that brought up the same questions as the OP.

I think what's not clear to me is:

  • where can I see that I'm authorizing just the code running on my computer, and not a third party?
  • if that's all I'm authorizing, why am I made to click on a third party link to verify, and can I avoid having to do that? (The manual directions seem to require it as well)

Thanks again!

redstreet avatar May 18 '23 17:05 redstreet

The third-party link is a redirect to accounts.google.com to authorize an oauth scope -- if you curl it you can see the 301, and if you open it in the browser the address bar should ~immediately change to the google URL as it processes the redirect.

Presumably it does this because the oauth URLs are absolutely massive and if you're in a situation where the user is copy-pasting URLs it's a lot easier to give the short form.

(That said, it definitely is not possible to "do all the things manually", or at least, it's not documented -- the "manual" instructions still request permission to "see, edit, configure, and delete your Google Cloud data and see the email address for your Google Account" in order to create the project configuration. Presumably someone familiar with both Google Cloud and GYB could configure a cloud project "by hand" and point GYB at it?)

ToxicFrog avatar Jun 22 '23 12:06 ToxicFrog

@ToxicFrog, thanks, it helps to know curl-ing it verifies it's a 301 redirect.

The remaining thing that's unclear to me is what I'm authorizing on the google.com page. It usually says something along the lines of "do you authorize XXX to <read your data, etc.>". Any tips on how a user could verify that 'XXX' is only their desktop GAM client, and not a third party client that can read the user's data?

redstreet avatar Jun 24 '23 06:06 redstreet

The page should contain information about the exact client_id used.

NoSubstitute avatar Jun 24 '23 12:06 NoSubstitute