I happen to use a handful of apps where I use my Google account but the permissions are limited to what they do (for example, the Car Driving Simulator app can only access the Google Play Service and nothing else). However, this app called "Ubuntu" has full access to my Google account which I thought was odd.
Though I happen to use an Ubuntu OS (18.04 LTS to be precise), they don't seem to be the kind who will hijack permissions to their users' Google accounts. Further research led me to this and this which are eye opening posts in this regard, and then it stuck me that I also use the Chromium Browser installed right from the Ubuntu repos using apt!
I also remember signing into Chromium browser so as to sync my bookmarks, etc. with my Android phone. Just to verify, I removed the access to Ubuntu and for sure, the sync feature on my browser suddenly stopped and I was temporarily signed out. So, I signed into Chromium again and that permission (Ubuntu Has full access!) came up again at its place. Now, I understand that its Chromium and not Ubuntu who is given permissions here, but there are a few problems (or rather a bug) with this workflow:
- Its not Ubuntu who gets the permissions here but Chromium browser, so you should specifically state that otherwise your user will feel nervous and uncomfortable about who is using their Google account.
- When you "sign in" to the browser, it nowhere makes it clear that its taking these permissions from the user, so there is an amount of stealth here. This must be fixed.
- Why full access? You only need to sync bookmarks and stuff.
- Why doesn't this happen when you use regular Chromium instead of one from Ubuntu's repos?
To summarize, if you happen to use the Chromium browser on Ubuntu and also signed into it using your Google account, there is a good chance that the Chromium app (who also calls himself "Ubuntu" to identify with Google!) will have full access to your Google account. To verify this, you may visit your My Google Account page's "Security" section where app permissions to your Google account are displayed.
4 comments:
This is not Chromium, it's the Online Accounts feature included with Ubuntu and many other desktop Linux distributions. It allows you to use your Google account across different applications in the OS, for example to receive email and sync calendars in Evolution. Search for Online Accounts in System Settings.
Thanks for the research, I've noticed it too for both of my Google accounts. Using Chromium as well from the repos. Google claims this "Ubuntu app" is used by 1,000,000 - 5,000,000 users worldwide.
(I'm not using the "online accounts" feature or something related)
This has been the case for many years now, and there's been no tech-wide warnings concerning it. But this is central to the Chrome & Chromium browsers. Opera is a Chromium-based browser, and, it's in the Linux Mint repos, but when using Opera while logged into my Gmail (and thus google) account/s, Ubuntu does not show up in Opera at all, on the page titled: myaccount.google.com/permissions. Nor does it show up in Firefox; only in Chrome/Chromium. FYI
Post a Comment