I was a victim of yesterday's google doc phishing attack. The email I received had a link and when clicked it asked for certain permissions. I gave access at that time but after few minutes I removed the permission from my google security page. However I am not sure what kind of permissions were given to the hacker. If I click on the link now the google page shows this message.
Error: disabled_client
The OAuth client was disabled.
Request Details
client_id=946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com
scope=https://mail.google.com/ https://www.googleapis.com/auth/contacts
immediate=false
include_granted_scopes=true
response_type=token
redirect_uri=https://googledocs.gdocs.pro/g.php
customparam=customparam
That’s all we know.
What kind of permissions were given to the hacker based on the above information? I am more interested in whether the hacker had access to my emails or not.
If they were able to gain access to my emails, is there a way to check whether or not they were able to successfully download my emails? I had removed the permission few minutes after giving access.
The hacker had access to your contacts and your mail account, as visible in this line:
scope=https://mail.google.com/
https://www.googleapis.com/auth/contacts
Related
Users can go to account.google.com and revoke access from my site. How can I accomplish the same thing?
I have a site that uses Google authentication. The site, however, does not have a sign up process. New users are added by the site administrators. This is accomplished by simply adding their email to a list. This works fine in most cases. If a user comes to the site they are requested to authenticate with Google. I get their email if it is on the list I let them in. If it is not I tell them that they are not authorized to use the site.
If the user has multiple Google accounts logged in to their browser everything works fine. If the user has only one account signed in, and that is an authorized account all is well too. The next time they go to the site they are allowed in without authentication. Which is really cool.
However, if the one account they have signed in with on their browser is not authorized they are immideatly taken to the "You are not authorized" page. They are not given the opportunity to sign in with some other account.
If I could revoke the permission they granted to the site in Google (for unauthorized users), the next time they come to the site it would ask them to sign in again and give them the option of signing in with another account. Authorized accounts are typically work accounts. I am afraid that because the sign in process is so quick and easy, if someone accidentally signs in with their personal account on their phone they won't get a second chance to correct the error.
This is done by Revoking the token. Thanks #DalmTo
In some cases a user may wish to revoke access given to an application. A user can revoke access by visiting Account Settings. It is also possible for an application to programmatically revoke the access given to it. Programmatic revocation is important in instances where a user unsubscribes or removes an application. In other words, part of the removal process can include an API request to ensure the permissions granted to the application are removed.
I'm making an application that requires access to the shared/room-resource calendars in an Office 365 instance, using non-admin accounts. I've registered an app (in the Microsoft Application Registration Portal) using the V2 endpoint and Auth Code Grant. This successfully allows me to log in, and gives me a functional token with the Calendars.ReadWrite.Shared scope. With this token, I can retrieve my own calendars, and calendars that have been explicitly shared with me (and therefore added to my list of calendars). All of this is doable with just the normal Calendars.ReadWrite scope.
However, I get errors when requesting access to any other shared calendars, like the room calendars. Here's an example. If I make a GET call to https://graph.microsoft.com/beta/users/my-own-email#business.com/calendars it successfully returns a list of my calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/calendars I get a 404 (Not Found) Error. The same error occurs for any other user, not just meeting rooms. Note that I can see these calendars when I'm logged into Office 365 online with the same account.
A different error occurs if I ask for events not calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/events, I get a 500 (Internal Server) Error.
I've checked all the other threads I can find on the issue, and this one from November How to access shared calendars from Office REST API? says there's some kind of blocking issue on Microsoft's end. It's using the Office REST API rather than Graph, but on the back-end the APIs call the same stuff. Is this issue still about? Alternatively, am I missing some further permissions? I tried adding quite a few different permissions on top of Calendars.ReadWrite.Shared, but none of them fixed it. Is there a correct combination?
Thanks so much for any help, and let me know if any other info would be useful for diagnosis.
So if anyone else happens to be interested in this, I figured out a way to access room resource calendars without using the Calendars.ReadWrite.Shared permission. This allows you to use just the Calendars.ReadWrite permission to access the room resources, by moving them into the list of calendars of the email you're authenticating with. However, it will only work for specific accounts that you share the calendars with, so won't be usable in apps that have to work for any account. This is good enough for my use-case, but may not be for yours.
First, find or make an account that is a delegate to, and has full access to, the room resource calendar you want to use. On that account click 'Open another mailbox' in the dropdown list under your profile image.
Open another mailbox location
In the pop-up that follows, put in the email address of the room resource calendar that you want to use.
Then, on the new page that opens (which should be the Office account of the room resource calendar):
Navigate to the calendar page
Click 'Share'
Share the default calendar with the account you plan to authenticate with.
Then log into that 'authentication' account, check its email for the notification of the shared calendar, and click 'accept'. What this will do is move the calendar into the authenticated account's list of calendars, meaning you can access it with just a call to the https://graph.microsoft.com/v1.0/me/calendars endpoint. You'll have to repeat it for every calendar you want to be able to access, sadly.
I'm not quite sure that this is the right place to ask my question, but I've searched all over and haven't been able to figure out my problem. Google Support told me to post in ththe AdWords API forum, and they sent me here. I have a developer account used for the Analytics API (520577192276#developer.gserviceaccount.com), which was set up several years ago by a colleague who is no longer with the company. I've looked for the password for this account all over the place, but I haven't been able to find it. I tried recovering the password, however the recovery email is the same as the email on the account (520577192276#developer.gserviceaccount.com), and since I can't get in to that account, I can't check the email.
We're very close to reaching the limit of 100 Google accounts for the 520577192276#developer.gserviceaccount.com account. I tried requesting an increase to 200, but I was told I needed to approve the request via email using the 520577192276#developer.gserviceaccount.com account, which as you see above, I'm not able to access.
It looks like this account is linked to another account we use (rioseo.ga#gmail.com) with Google Analytics and Google My Business. When I log into the Google Developer Console with the rioseo.ga#gmail.com account, I can see the API enabled for the 520577192276#developer.gserviceaccount.com, and all the other details related to the Analytics API. Is there any way I can recover or reset the password for 520577192276#developer.gserviceaccount.com so I can approve an increase in user accounts?
I am currently researching Google+ REST API to post to a user's stream.
The basic requirements are:
The post should be created without user's review using server side request (user should give his permission to post on his behalf in the future).
The post must be visible to all user's friends.
As i understand from reading the documentation, posting to the stream without actually getting permission in creation time from the user is impossible, however, creating 'moments' doesn't require permission upon-posting, so the user should give his permission when authorizing the app.
Since i didn't find anything that explains how can a moment be created to be visible to all user's friends - can someone who is familiar with this API explain how visibility of a moment is being determined and on which step? reference to an API documentation would be good as well, but i didn't find any.
Thanks
The moment methods do not write directly to a user's Google+ stream. They instead write to a user's profile, and are not necessarily viewable by others depending on the user's preferred sharing settings.
Manage app activities in Google
During authorization the user chooses who their activity is visible to.
Once authorized a user should be able to see their own activities on Google+ and you can view other people's activities by clicking on an app from their profile about page.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.