Nick Daw's Writing Blog - Inside the writing world of Nick Daws
Receive this blog by e-mail!  Enter your e-mail address:   

Monday, September 01, 2014

Email: Be Careful What You Authorize

4 Days of Spam by cogdogblog, on Flickr
Creative Commons Creative Commons Attribution-Share Alike 2.0 Generic License   by  cogdogblog

I'm a bit off topic today, but I wanted to share some thoughts about a problem I've experienced recently with my Gmail account.

What has happened is that on three occasions recently, spam emails have been sent in my name to people who are (or were) on my Gmail contacts list. Many apologies, by the way, if that includes you.

You might assume this means my account has been hacked, but that doesn't appear to be the case. There are no spam emails in my 'Sent Items' folder, and on my Gmail security page there is no evidence of any log-ins other than those I have made myself. It seems pretty clear that my identity in the spam emails was spoofed (which is of course very easy to do).

I was still puzzled by how the spammers got hold of my email contacts list, though. Initially I wondered if the Gmail servers had been hacked, but this seemed unlikely, and I hadn't heard any similar-sounding reports. After the third time it happened, I pretty much discounted that possibility.

I still don't know for sure, but after I visited the Google Account Permission page, a more likely explanation became apparent. As you may know, this page lists all the applications that have permission to access any component of your Google Account (which of course includes Gmail). There were about eight on my page, most of which appeared legitimate, including Chrome, Picasa, Feedly, Mail by Microsoft, and so on.

There were one or two that looked dubious, however, including Quora, a sort of social networking service I joined a year or two ago and soon lost interest in. Quora got a bad reputation a while back, when they were found to be sending emails to the contacts of existing Quora members urging them to join up as well. I could see from my Account Permission page that I had (inadvertently) given them permission to access my contact lists as well.

Obviously I can't prove that Quora were to blame for my contacts list getting into the wrong hands, but it is certainly a possibility. So I immediately revoked their access permission, along with a couple of other services I thought less likely (though still possible) candidates. I also changed the vague 'Access for Less Secure Apps' on the Security Settings Page from Enabled to Disabled. I am hoping that these measures will prevent any further breaches, although I can't guarantee this if some evil spammer has downloaded and saved my contact list and plans on using it again.

So what is the moral of this story? If you have a Gmail account, I strongly recommend that you head over to the Security Settings Page today and check (in particular) the account permissions you have granted. If there are any applications listed you aren't happy to have access to your account, you can disable them with a single click.

I'm not exactly sure how other web-based email accounts such as Yahoo email work, but if possible I would recommend checking the security settings and permissions on these as well. Who knows, it could save you the embarrassment of having all your friends and other contacts sent spam in your name like me!

If you have any comments or questions on this post, as ever, please feel free to post them below.

Labels: , ,



Post a Comment

Links to this post:

Create a Link

<< Home