We reveal a security problem in the Google Cloud API Console


  • Vivaldi Team

    While working on the Technical Preview of the Mail and Calendar client, the Vivaldi security team encountered a security problem, possibly a security vulnerability.

    Click here to see the full blog post



  • Ferst?


  • - Ambassador -

    Well in any case I have no intention of connecting this thing to the Vivaldi Mail client.



  • @OlgaA I am probably misunderstanding something (as usual) 😵

    When you approve an app’s access to your Gmail account, you do that via an “OAuth Consent Screen” that informs you about the app requesting access, and what it is requesting access to. Part of that screen is a support email address.

    So if I have a problem enabling this, I am supposed to send an email to the "support address"?
    How do I do this if I have no access to email because OAuth failed? 😖



  • First line support should not have to also manage the security of an account with high security that has access to about everything else in that account. (also when they access the account not every network they are on is secure or not compromised)

    Google has bugs with some of their security features like the authorization app that is used to allow a sign in. If the phone charging port catches fire (melting the port) or the battery is dead people are locked out of their Google account. I have also seen 1 time where 2 different Google accounts get the same 2FA sms code.

    Side note Google does not have a working customer support system. (I know about the forums but questions are closed without asking and not being fixed)



  • I'm wondering: Why does GMail NEED OAuth? Is using IMAP + CalDAV not allowed?



  • @Brawl basically Google don't want competitors using their services.



  • First Vivaldi article I read from within the new feed system!



  • A unlimited access to GC API seems to be a fair prize 🥇



  • @Brawl Mail at the moment presume you want Oauth 2.0 for gmail.
    The plain IMAP - or as google call it ""insecure way"" - to access it is in consideration as a work in progress.



  • @brawl: besides "security" used as an excuse to not allow eaey access for competition there are not standardized features that may or may not be available through API



  • I'm sure that now Google will definitely allow more than 100 Gmail logins with Vivaldi's client 🙂



  • @Kocho I hope so.



  • I think it is clear that Google's OAuth is much more about tracking and controlling users and other service providers than security. Of course it is good to have Google's OAuth sorted, because that's the recommended method and therefore, it is more convenient for the users, but please let the users to choose authentication methods, so they are not stuck by such artificial restrictions.



  • So if they insist to use that way – where is the point in not just giving them an address wich only has an auto-reply sending back the usual support channels?
    Besides I am quite sure the responsible Vivaldi team members would not be taken in by the described targeted attacks. Additionally just give a huge password, lock the 2nd factor into the safe, done.

    Still it's not understandable why they take since February to get things done.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.