[chatmasta]

The web was rampant with these patterns in the early 2010s when OAuth didn't exist, and HTTPS the exception rather than the rule.

The most egregious example was probably LinkedIn's GMail "integration," ostensibly used to invite your GMail contacts to LinkedIn. Back then, that sort of thing felt innocuous. But the implementation was even worse. Due to lack of OAuth and MFA, you literally entered your GMail password into LinkedIn. Then LinkedIn logged into your GMail account where they could do anything. Even if they limited it to scraping your contacts, they still got every email address you'd ever sent or received an email to or from, over the lifetime of the account.

In any other context this would be called phishing. And by the way, this pattern still exists. For example, apps that force you to log into a third party site in their embedded WebView can read the entire DOM (including your password). ..

[reissbaker]

Yeah definitely. There are still some pretty bad patterns out there; for example, if you try to add an event from Facebook Events to your Google Calendar, instead of generating a normal ICS file or event link, they... ask for read/write access to your entire Google Calendar account. No thanks!

Similar to apps that ask for access to your entire Contacts list to "find your existing friends"... You can bet they're uploading that entire thing to their servers and trying to growth hack with it.

[jdminhbg]

Would be nice if APIs offered more granular permissions. Almost every one of these is global read/write so it’s impossible to distinguish between good and bad actors.